ISA TR84 Part 2

TECHNICAL REPORT
ISA-TR84.00.03-2002
--
Guidance for Testing of Process

Sector Safety Instrumented
Functions (SIF) Implemented as
or Within Safety Instrumented
Systems (SIS)
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
NOTICE OF COPYRIGHT
This is a copyrighted document and may not be copied or distributed in any
form or manner without the permission of ISA. This copy of the document was
made for the sole use of the person to whom ISA provided it and is subject to
the restrictions stated in ISAs license to that person. It may not be provided to
any other person in print, electronic, or any other form. Violations of ISAs
copyright will be prosecuted to the fullest extent of the law and may result in
substantial civil and criminal penalties.
Approved 17 June 2002

TM
ISAThe Instrumentation,
Systems, and
Automation Society
COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society
Document provided by IHS Licensee=Shell Services International B.V./5924979112,

User=, 09/12/2002 05:23:29 MDT Questions or comments about this message: please
call the Document Policy Management Group at 1-800-451-1584.
|--||
|
||||
|||| ||
||||
||| || | ||| || |
|
--
ISA-TR84.00.03-2002
Guidance for Testing of Process Sector Safety Instrumented Functions (SIF) Implemented as or Within
Safety Instrumented Systems (SIS)
ISBN: 1-55617-801-8
Copyright 2002 by ISA The Instrumentation, Systems, and Automation Society. All rights reserved.
Not for resale. Printed in the United States of America. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means (electronic mechanical,
photocopying, recording, or otherwise), without the prior written permission of the Publisher.
ISA
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709

ISA-TR84.00.03-2002
Preface
This preface, as well as all footnotes and annexes, is included for information purposes and is not part of
ISA-TR84.00.03-2002.
This document has been prepared as part of the service of ISAthe Instrumentation, Systems, and
Automation Societytoward a goal of uniformity in the field of instrumentation. To be of real value, this
document should not be static but should be subject to periodic review. Toward this end, the Society
welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and
Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709;
Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.
The ISA Standards and Practices Department is aware of the growing need for attention to the metric
system of units in general, and the International System of Units (SI) in particular, in the preparation of
instrumentation standards. The Department is further aware of the benefits to USA users of ISA
standards of incorporating suitable references to the SI (and the metric system) in their business and
professional dealings with other countries. Toward this end, this Department will endeavor to introduce
SI-acceptable metric units in all new and revised standards, recommended practices, and technical
reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The
Modern Metric System, published by the American Society for Testing & Materials as IEEE/ASTM SI 1097, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and
conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
interests in the development of ISA standards, recommended practices, and technical reports.
Participation in the ISA standards-making process by an individual in no way constitutes endorsement by
the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical
reports that ISA develops.
CAUTION ISA ADHERES TO THE POLICY OF THE AMERICAN NATIONAL STANDARDS
INSTITUTE WITH REGARD TO PATENTS. IF ISA IS INFORMED OF AN EXISTING PATENT THAT IS
REQUIRED FOR USE OF THE TECHNICAL REPORT, IT WILL REQUIRE THE OWNER OF THE
PATENT TO EITHER GRANT A ROYALTY-FREE LICENSE FOR USE OF THE PATENT BY USERS
COMPLYING WITH THE TECHNICAL REPORT OR A LICENSE ON REASONABLE TERMS AND
CONDITIONS THAT ARE FREE FROM UNFAIR DISCRIMINATION.
EVEN IF ISA IS UNAWARE OF ANY PATENT COVERING THIS TECHNICAL REPORT, THE USER IS
CAUTIONED THAT IMPLEMENTATION OF THE TECHNICAL REPORT MAY REQUIRE USE OF
TECHNIQUES, PROCESSES, OR MATERIALS COVERED BY PATENT RIGHTS. ISA TAKES NO
POSITION ON THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS THAT MAY BE INVOLVED
IN IMPLEMENTING THE TECHNICAL REPORT. ISA IS NOT RESPONSIBLE FOR IDENTIFYING ALL
PATENTS THAT MAY REQUIRE A LICENSE BEFORE IMPLEMENTATION OF THE TECHNICAL
REPORT OR FOR INVESTIGATING THE VALIDITY OR SCOPE OF ANY PATENTS BROUGHT TO
ITS ATTENTION. THE USER SHOULD CAREFULLY INVESTIGATE RELEVANT PATENTS BEFORE
USING THE TECHNICAL REPORT FOR THE USERS INTENDED APPLICATION.
HOWEVER, ISA ASKS THAT ANYONE REVIEWING THIS TECHNICAL REPORT WHO IS AWARE OF
ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE TECHNICAL REPORT NOTIFY THE
ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER.
ADDITIONALLY, THE USE OF THIS TECHNICAL REPORT MAY INVOLVE HAZARDOUS
MATERIALS, OPERATIONS OR EQUIPMENT. THE TECHNICAL REPORT CANNOT ANTICIPATE
ALL POSSIBLE APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS TECHNICAL REPORT MUST
EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY
UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE
APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED
SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS TECHNICAL REPORT.
THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED
BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE
POTENTIAL ISSUES IN THIS VERSION.
The following people served as members of ISA Committee SP84:
NAME
COMPANY
V. Maggioli, Chair
R. Webb, Managing Director
C. Ackerman
R. Adamski
C. Adler
R. Bailliet
N. Battikha
L. Beckman
K. Bond
S. Brown
J. Carew
K. Dejmek
R. Dunn
P. Early
A. Frederickson
K. Gandhi
J. Gilman
W. Goble
D. Green
P. Gruhn
C. Hardin
J. Harris
J. Jamison
W. Johnson
L. Laskowski
T. Layer
N. McLeod
G. Ramachandran
K. Schilowsky
D. Sniezek
C. Sossman
R. Spiker
P. Stavrianidis
H. Storey
A. Summers
L. Suttinger
R. Szanyi
R. Taubert
H. Tausch
T. Walczak
M. Weber
Feltronics Corporation
POWER Engineers
Air Products & Chemicals Inc.
Invensys
Moore Industries International Inc.
Syscon International Inc.
Bergo Tech Inc.
HIMA Americas Inc.
Shell Global Solutions
DuPont Company
Consultant
Baker Engineering & Lisk Consulting
DuPont Engineering
ABB Industrial Systems Inc.
Triconex Corporation
Kellogg Brown & Root
Consultant
exida.com LLC
Rohm & Haas Company
Siemens
CDH Consulting Inc.
UOP LLC
Bantrel Inc.
E I du Pont
Solutia Inc.
Emerson Process Management
Atofina
Cytec Industries Inc.
Marathon Ashland Petroleum Company LLC
Lockheed Martin Federal Services
WG-W Safety Management Solutions
Yokogawa Industrial Safety Systems BV
Factory Mutual Research Corporation
Equilon Enterprises LLC
SIS-TECH Solutions LLC
Westinghouse Savannah River Company
ExxonMobil Research Engineering
BASF Corporation
Honeywell Inc.
GE FANUC Automation
System Safety Inc.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
This standard was approved for publication by the ISA Standards and Practices Board on 17 June 2002.
-|
||| || | ||| || |
||||
NAME
COMPANY
M. Zielinski
D. Bishop
D. Bouchard
M. Cohen
M. Coppler
B. Dumortier
W. Holland
E. Icayan
A. Iverson
R. Jones
V. Maggioli
T. McAvinew
A. McCauley, Jr.
G. McFarland
R. Reimer
J. Rennie
H. Sasajima
I. Verhappen
R. Webb
W. Weidman
J. Weiss
M. Widmeyer
C. Williams
G. Wood
Emerson Process Management

David N Bishop, Consultant
Paprican
Consultant
Ametek, Inc.
Schneider Electric
Southern Company
ACES Inc
Ivy Optiks
Dow Chemical Company
Feltronics Corporation
ForeRunner Corporation
Chagrin Valley Controls, Inc.
Westinghouse Process Control Inc.
Rockwell Automation
Factory Mutual Research Corporation
Yamatake Corporation
Syncrude Canada Ltd.
POWER Engineers
Parsons Energy & Chemicals Group
KEMA Consulting
Stanford Linear Accelerator Center
Eastman Kodak Company
Graeme Wood Consulting
|||| ||
||||
|
||
|---

|--||
|
||||
|||| ||
||||
||| || | ||| || |
|

--
This page intentionally left blank.
ISA-TR84.00.03-2002
Contents
-|
||| || | ||| || |
||||
|||| ||
||||
|
Introduction .......................................................................................................................................... 11
Purpose................................................................................................................................................ 12
Scope................................................................................................................................................... 12
Audience.............................................................................................................................................. 13
Definition of terms and acronyms ........................................................................................................ 13
||
|---
5.1
Definitions..................................................................................................................................... 13
5.2
Acronyms...................................................................................................................................... 15
Off-line testing...................................................................................................................................... 16
6.1
When should off-line testing be performed................................................................................... 16
6.2
Deferral of scheduled testing of SIF ............................................................................................. 20
6.3
How to perform off-line testing of SIF........................................................................................... 21
6.4
Component testing ....................................................................................................................... 23
6.5
Logic solver test procedures ........................................................................................................ 28
6.6
Testing of final control elements................................................................................................... 29
6.7
Testing solenoid valves ................................................................................................................ 30
6.8
Testing of HMI .............................................................................................................................. 30
6.9
Testing of communications........................................................................................................... 30
6.10
Final SIF test procedures ............................................................................................................. 31
On-line testing...................................................................................................................................... 31
7.1
Preparation ................................................................................................................................... 31
7.2
When should on-line tests be performed...................................................................................... 32
7.3
Performing on-line testing ............................................................................................................ 34
7.4
Inspection (observation techniques that enhance SIF availability) .............................................. 38
7.5
Testing documentation ................................................................................................................. 41
Inspections........................................................................................................................................... 42
Auditing ................................................................................................................................................ 43

ISA-TR84.00.03-2002
10
References....................................................................................................................................... 43
Annex A Model procedure for approval required for replacing individual components in SIF ............... 45
Annex B Model procedure for deferring scheduled testing of SIF ......................................................... 47
Annex C Model procedure for testing turbine thrust position monitors .................................................. 49
Annex D-1 Model procedure for electronic over-speed trip testing........................................................ 57
Annex D-2 Model procedure for testing turbine overspeed trip ............................................................. 63
Annex E Model procedure for testing permissive start for turning gear motor....................................... 67
Annex F Model procedure for lube oil pumps autostart test .................................................................. 69
Annex G Model procedure for testing first-out sequence alarms........................................................... 71
Annex H Model procedure for functional testing of TMR-based SIS instrumentation............................ 73
Annex N Model procedure for testing temperature switches ................................................................. 85
||||
|||| ||
||||
--
Annex O Example visual inspection form for SIF................................................................................... 87
||| || | ||| || |
Annex M Model procedure for on-line testing of pressure sensors in a 2oo3 configuration (high or low
trip) .............................................................................................................................................................. 83
Annex L Model procedure for on-line testing of flow sensors in a 1oo2 configuration (high or low trip) 81
||
Annex K Model procedure for on-line test of a high level switch ........................................................... 79
|---
Annex J Example of a jumper control list ............................................................................................... 77
Annex P Model procedure for testing a permissive pressure logic point ............................................... 91
Annex Q Model procedure for testing a simple SIF ............................................................................... 95
Annex R Model procedure for testing a complex logic system .............................................................. 99
Annex S Model procedure for testing emergency stop switch ............................................................. 115
Annex T Model procedure for testing a relay implemented SIF........................................................... 117
Annex U Model procedure for testing SIF watchdog timer .................................................................. 123
Annex V-1 Model procedure for on-line testing of sensor logic ........................................................... 125
Annex V-2 Model procedure for testing sensor logic ........................................................................... 129
Annex V-3 Model procedure for on-line testing sensor logic ............................................................... 133
Annex W Model procedure for on-line final control element functional testing .................................... 137
Annex X Model procedure for on-line testing of compressor SIF ........................................................ 141

ISA-TR84.00.03-2002
Annex Y Model procedure for on-line testing of 2oo3 temperature elements...................................... 155
Annex Z Model procedure for testing final control elements when manual bypass valves are provided
.................................................................................................................................................................. 169
Annex AA Example of a testing documentation form for off-line tests................................................. 173
Annex BB Model SIF testing policy statement ..................................................................................... 175
Annex CC Possible SIF performance metrics...................................................................................... 177
Annex DD Model technique for testing SIF valves on-line................................................................... 179
Annex EE Automated testing of SIF valves on-line ............................................................................. 181
Annex FF Possible audit protocol for safety instrumented functions ................................................... 185
Annex GG Example of checklist for auditing an SIF ............................................................................ 193
Annex HH Partial instrument trip test (PITT)........................................................................................ 195
Annex JJ Vendor packages to perform partial stroke testing of SIF valves......................................... 201
Annex KK Possible technique for evaluating benefit of partial stroke testing of SIS valves in PFDavg
calculations ............................................................................................................................................... 203
Annex LL Example method for partial stroke testing of SIS valves ...................................................... 207
Annex MM Examples of techniques to perform on-line testing of solenoid valves .............................. 211
Annex NN Model procedure for testing mA pressure transmitters....................................................... 213
Annex PP Model procedure for testing mA temperature transmitters ................................................. 215
Annex QQ Model procedure for testing mV temperature transmitters................................................. 217
Annex RR Model procedure for testing pressure switches .................................................................. 219
Tables
Table 1 Calibration work process for SIF components .......................................................................... 22
Table 2 Tests performed to verify operation of SIF components ........................................................... 24
Table 3 Calibration and testing guidance for repaired or replaced components in SIF......................... 25
Table 4 Sample documentation for high alarm and trip settings........................................................... 26
Table 5 Sample documentation of high temperature alarm and trip settings ........................................ 27
Table C.1 Turbine thrust position ........................................................................................................... 50
Table R.1.6A Thermocouple input, trip, and bypass action validation................................................. 101
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
10
Table R.1.7A Manual trip and reset logic functionality validation......................................................... 110
Table KK.1 Dangerous failure modes and effects with associated test strategy ................................. 204
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
Table NN.1 Sample documentation for high alarm and trip settings ................................................... 214

11
ISA-TR84.00.03-2002
-|
||| || | ||| || |
Introduction
||||
|||| ||
||||
|
||
|---
The best test of the Safety Instrumented Function (SIF) is the full functional test. Because SIF are
designed to act upon an abnormal condition being measured and a corrective action taking place, any
test must examine the measurement, logic and final control element activity to be considered a full
functional test. This should involve creating an abnormal condition of the measured variable such that the
input variable first reaches the alarm state and secondly moves to the interlock point making observations
that the rest of the system responds as expected. Any less complete test is necessarily a compromise.
Understanding what techniques should be used to ensure that this full functional test is complete is vital.
The sense of well being resulting from this successful test unfortunately deteriorates with time. Therefore,
determining when subsequent testing is required to maintain this feeling of comfort is critical. The relative
value of the functional test versus the cost of running the test can impact this decision. It is necessary to
consider the degree of safety risk caused by a Safety Instrumented Function (SIF) initiated nuisance
shutdown and at the same time the safety risk associated with an event not stopped due to a dangerous
unrevealed fault in the SIF. Real processes are not ideal. Many systems are at maximum expected risk
during startup and shutdown conditions.
NOTE 1
In this document the acronyms SIF and SIS will be used for both singular and plural usage of the term.
NOTE 2 The techniques for testing SIF or SIS described in this document apply to demand mode systems only. Continuous mode
systems, which are rare in the process industry, require testing considerations beyond the scope of this document.
SIF applications are normally in a standby mode waiting for an indication of some potentially unsafe
condition to occur before taking action. Faults may not become visible until the SIF fails to respond to an
unsafe condition in the process. In basic process control loops the sensors and valves are exercised
continuously during the Distributed Control System (DCS) and Programmable Logic Controller (PLC)
cycles making process or equipment faults visible quickly and rendering them hard to ignore. It is vital
that some program of testing and observation of each SIF in the SIS be in place. Any testing scheme,
though which is burdensome or difficult has the very real probability of being ignored or bypassed. Where
on-line testing techniques are implemented, they should not unnecessarily compromise the process
safety integrity during the test. The test equipment and procedure must be carefully evaluated to
determine whether the danger of causing an incident due to performing the on-line test is greater than the
danger of not discovering the failure. Ill-advised maintenance or troubleshooting might actually increase
the process risk.
Effective safety testing is strongly affected by local situations. Hazards differ, resources differ, and even
the site conditions differ widely. Rapidly changing technology and ever increasing citizen expectations
also impact decisions. Safety incidents can have the political result of closing down entire businesses if
the local citizens are sufficiently offended. International competition has put tremendous pressure on
manufacturing operations to reduce personnel and costs. Whatever testing schemes are used, they need
to be very practical and should minimize maintenance and operating costs while ensuring the integrity of
the SIF. The techniques suggested in this document are intended to provide guidance in the
development of effective and efficient methods to plan and to manage testing and maintenance of SIF.
Users of this document should have a good understanding of the applicable standards or guidelines
which apply to SIF and SIS such as ANSI/ISA-84.01-1996, ISA-TR84.00.02-2002, OSHA 1910.119,
dIEC 61511, and others.
The records resulting from the testing program should be equally valuable to planned and preventive
maintenance and address the requirements of all regulations, as well as quality control and mandated
standards.
Another important part of process safety in an operating unit is the knowledge and motivation of the
operators and maintenance personnel. It is the responsibility of management to provide training and
motivation. Any plan, formula, procedure, or even a standard, which attempts to, or claims to substitute

ISA-TR84.00.03-2002
12
procedures and rules for training, motivation, and support is doomed to failure. Therefore, the testing
techniques proposed should not be considered just another set of rules, which become burdens to
overworked plant personnel, but rather means of improving the work process and reducing frustration.
Purpose
Systematic testing of each Safety Instrumented Function (SIF) is required to ensure that dangerous
unrevealed failures have not occurred that could render the SIF unable to perform the function for which it
was provided. This testing ensures that all operational functions of the SIF are evaluated on a periodic
schedule in accordance with the safety integrity requirement of the SIF. Many processes have operating
cycles that are longer than the period between testing required achieving the safety integrity. Thus
performing the required off-line testing necessitates shutting down the process. This is costly and puts
unnecessary strain on equipment and necessitates going through shutdown and startup (which are
usually the most dangerous periods of a process lifecycle) again. Therefore, the ability to perform testing
while the process remains in operation is desirable.
--
There are also different ideas on what constitutes an acceptable test for various components of SIF.
Whether the test is performed off-line, with the process down, or on-line with the process in operation,
there are methods for performing the testing that ensure a high degree of detection of failures that might
have occurred. Guidance is needed in the selection of these testing methods for both off-line and on-line
situations.
|
||| || | ||| || |
||||
|||| ||
There is also benefit in performing inspection activities on SIS equipment during normal operation of the
process to detect any potential problem creating situations that might be developing. Guidance in what to
look for, how often to inspect, and what to do when a condition is observed that could lead to a failure will
enhance the safety integrity of the SIF.
||||
Scope
|
||
|---
Testing considerations of SIF should be included in most of the Safety Lifecycle steps described in
ANSI/ISA-84.01-1996. Testing frequency is a part of the determination of Safety Integrity Level (SIL) for
the SIF. Provision for conducting tests must be included in the selection of equipment and design of the
SIF and the Pre-Startup Acceptance Test (PSAT) is an integral part of ensuring the SIF will provide the
risk reduction necessary. When modifications are made to SIF, testing can validate that appropriate SIF
action will still take place.
This technical report is an informative document providing guidance on performing testing of SIF
components and systems that will help achieve full safety benefits of the SIF in the most cost-effective
way. Both manual and automated techniques are presented for off-line and on-line testing of SIF and the
benefits of each technique described. Existing techniques and proposed new techniques will be
described. Utilizing the techniques described in conjunction with an overall safety management program
will allow users to meet the testing requirements of ANSI/ISA-84.01-1996 and dIEC 61511. Techniques
are described for testing all elements of the SIF including field sensors, final control elements, logic
solvers (signal conversion modules included), Human Machine Interface (HMI), communication links with
other systems, user application software, and other required auxiliaries such as power. Suggested
inspection techniques for regular observation of equipment and components to detect potential problems
are also presented.
The techniques described can also be used for testing burner management systems in conjunction with
the NFPA 85 code.
These techniques are illustrated by the examples given in Annexes A-MM. Each Annex is an example
of how one company might apply a given technique, and is not intended to represent a consensus
solution within the process industry.

13
ISA-TR84.00.03-2002
Audience
This document is intended as a guide for those responsible for specifying, designing, constructing,
scheduling, implementing, and maintaining SIF applied to the process industries.
It is expected that those persons using this document will have adequate understanding of the ANSI/ISA84.01-1996 standard and its requirements related to testing of SIS.
5
5.1
Definition of terms and acronyms

Definitions
5.1.1 approved substitution:

a replacement item for a component or system that meets the following requirements:
Is specifically permitted as a substitute or duplicate item in a company standard or practice (i.e., the
company standard or practice clearly states that more than one brand and/or model number may be used
interchangeably in order for a replacement item other than the exact same brand and model number to be
considered for use as an approved substitute)
OR
Is approved as an equivalent substitute by the appropriate plant or company personnel, or his/her
designee for approving substitutions; meets process-specific operational safety standards; and is covered
by existing training and procedures.
See Annex A for an example of a typical approval procedure for making substitute replacements for SIF
components.
5.1.2 automatic testing:
a test which consists of simulated process conditions to a logic solver which cause the logic solver to take
specified action and signal a final control element to move to a specified position. The simulated process
signal is implemented using another programmable device which controls the sequence and range of
testing. Humans may observe the action of the system logic and final control element movement but do
not intervene in the testing sequence. All steps of this test are documented by the testing device for
validation of system performance to specified conditions.
5.1.3 car seal:
a technique consisting of a restraint placed on a valve actuator in such a manner that it cannot be moved
from the sealed position without breaking the restraint seal. Operations personnel typically maintain a
list of those valves car sealed in a fixed position for a process.
solid state non-programmable electronic devices (electronic); and
||
|
||||
electro-mechanical devices (electrical);

--
||| || | ||| || |
|||| ||
||||
5.1.5 electrical/electronic/programmable (E/E/PE):

logic technology that is based on electrical (E) and/or electronic (E) and/or programmable electronic (PE)
technology. The term is intended to cover any and all devices or systems operating on electrical
principles and would include
|---
5.1.4 communications (external):

data exchange between the SIS and a variety of systems or devices that are outside the SIS. These
include operator interfaces, maintenance/engineering interfaces, other SIS, etc.
ISA-TR84.00.03-2002
14
electronic devices based on computer technology (programmable electronic).
5.1.6 field sensors:

field sensors include the process connections, the sensing device, the transmitter, and the signal
connection to the logic solver.
5.1.7 final control elements:
final control elements include the signal connection from the logic solver, the actuation medium supply
(typically air), solenoid valves, and the device which effects a process flow change (e.g., valves or
pumps).
5.1.8 human machine interface (HMI):
the human machine interface includes the connection between the logic solver and the operator station,
the graphical display device, the tools available for operating the system (hand-switches, mouse and
keyboard) as well as a printer if supplied.
5.1.9 logic solvers:
in the case of PE devices, the logic solver includes the input module, main processor, and the output
module. In the case of electrical or electronic devices, the logic solver may be a single relay or
redundant, voting relays.
5.1.10 manual test:
a test which consists of simulating process conditions using the input device (i.e., transmitter) to a logic
solver causing the logic solver to take specified action and signal a final control element to move to a
specified position. Humans typically generate the simulated process signal using appropriate test
equipment. Humans also observe the action of the system logic and final control element movement. All
steps of this test are documented for validation of system performance to specified conditions.
-|
||| || | ||| || |
5.1.11 off-line testing:

testing performed while the process or equipment being protected is not being operated to carry out its
designated function. For example, a compressor is designed to take gas from a low-pressure state to a
higher pressure state. If the compressor is not running (compressing gas), it is not performing its
designated function. Off-line testing would be performed during the time the compressor is not running.
||||
|||| ||
||||
|
||
|---
5.1.12 on-line testing:

testing performed while the process or equipment being protected is operating performing its designated
function. For example, a compressor is designed to take gas from a low-pressure state to a higher
pressure state. If the compressor is operating (compressing gas) while tests are performed on a
transmitter providing an input to the SIF, this is an on-line test of the transmitter. When simplex input
devices are used, performing such testing typically requires bypassing of the input function to the SIF.
When redundant devices are used, bypassing may not be required, depending on the voting
configuration.
5.1.13 permissive:
logic action that requires some condition be met before further actions can be taken. For example, a
specific temperature might have to be achieved in the process before some additional chemical can be
added; a lubrication system must be in operation before a pump can be started; or certain valves must be
closed before others can be opened.
5.1.14 proof test:
test performed to reveal undetected faults in a safety instrumented function so that, if necessary, the
system can be restored to its designed functionality.

15
ISA-TR84.00.03-2002
5.1.15 replacement in kind:

an exact duplicate of a component or system or an "approved substitution" that does not require other
modifications to the SIF as installed. See Annex A for an example of a typical approval procedure
required for making substitute replacements for SIF components.
5.1.16 safety instrumented function (SIF):
a safety function with a specified safety integrity level which is necessary to achieve functional safety. A
safety instrumented function can be either a safety instrumented protection function or a safety
instrumented control function.
--
5.1.17 safety instrumented control function:

safety instrumented function with a specified SIL operating in continuous mode, which is necessary to
prevent a hazardous condition from arising and/or to mitigate the consequences.
|
||| || | ||| || |
||||
5.1.18 safety instrumented protection function:

safety instrumented function with a specified SIL operating in a standby mode to take action should a
situation which could lead to a hazardous condition arise and/or to prevent the hazardous condition or to
mitigate the consequences.
|||| ||
||||
5.1.19 turnaround:
maintenance activities associated with a process, unit, or total plant which require that the process, unit,
or plant be taken out of normal service and all equipment taken to a shutdown or out of service state.
|
||
|---
5.2
Acronyms
ANSI/ISA
American National Standards Institute/Instrumentation, Systems, and Automation Society
BPCS
Basic Process Control System
CCF
Common Cause Factor
DCS
Distributed Control System
FMECA
Failure Mode Effect and Criticality Analysis
HMI
Human Machine Interface
ICS
Letters indicating a specific manufacturer of equipment
IEC
International Electrotechnical Commission
MTTF
Mean Time To Failure
PES
Programmable Electronic System
PLC
Programmable Logic Controller
PSAT
Pre-Startup Acceptance Test
RTD
Resistance Temperature Detector
SIF
Safety Instrumented Function

16
ISA-TR84.00.03-2002
SIL
Safety Integrity Level
SIS
Safety Instrumented System
SOP
Standard Operating Procedures
SOV
Solenoid Valve
SRS
Safety Requirements Specifications
T/C or TE
Thermocouple
TMR
Triple Modular Redundant
UPS
Uninterruptible Power Supply
WDT
Watch Dog Timer
Off-line testing
The most common test of an SIF that uncovers failures or faults that may disable an SIF is the off-line,
functional test. This test is performed while the process being protected is not in operation thus allowing
all features of the SIF to be validated. The primary purpose of this testing is to detect dangerous
unrevealed faults that exist in the SIF. When the SIF is properly designed and maintained, this testing
should rarely find faults. The basic requirements of this test are described in ANSI/ISA-84.01-1996 in
Clause 9.7 Functional Testing. There are, however, multiple ways that tests can be performed to
accomplish the purpose of this functional test. This clause will describe techniques and procedures that
are known to be effective in carrying out the functional test to uncover faults or failures, which could result
in potentially unsafe conditions in the process.
Each SIF included in the SIS should be identified. All inputs, outputs, and logic associated with each SIF
should be identified. A testing procedure should define how each SIF will be validated. All equipment
necessary for performing testing should be identified and verified suitable for tests to be performed. This
includes calibration equipment with traceable performance.
If any components are shared among multiple SIF, testing should take this into account.
NOTE The procedures identified refer to SIF exclusively. Similar procedures should be available for all systems with limited
monitoring such as equipment protection systems. These procedures are outside the scope of this document.
There are two important questions that should be addressed related to off-line testing (1) when should
off-line testing be performed and (2) how should the off-line testing be performed. These questions are
addressed in the clauses to follow.
6.1
When should off-line testing be performed
6.1.1
General considerations
Off-line testing of the complete SIS should be performed prior to introduction of hazardous chemicals to
the process. This is described as the Pre-Startup Acceptance Test (PSAT) in ANSI/ISA-84.01-1996
Clause 8.4. This test should be a final validation that the system can in fact perform the function(s) for
which it was designed. Off-line testing allows each SIF to be completely tested including the application
software and any equipment and associated logic provided for on-line testing.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

17
ISA-TR84.00.03-2002
NOTE After the initial PSAT has been performed, any subsequent tests that validate all SIF in the SIS before placing the system
back in service may be referred to as a full functional test.
Follow-up testing of the SIF should be performed at intervals determined by one or more of the following
criteria:
The test interval included in the performance calculations for the SIF. See ANSI/ISA-84.01-1996
Clause 4.2.6.
When changes are made to logic, impacting the function of the SIF. See ANSI/ISA-84.01-1996
Clause 4.2.14.
When the process or equipment is taken out of service for scheduled maintenance activities that
require work involving components of the SIF. See ANSI/ISA-84.01-1996 Clause 4.2.13.
Company policy requiring complete testing of the SIF on a predefined schedule. See ANSI/ISA84.01-1996 Clause 4.2.13.
After extended down time of the SIS (see deferral of testing section Clause 6.2)
No modification, which could alter any of the following, should be made without first carrying out a review
to ensure the change cannot reduce the level of protection and appropriate testing is done to validate
correct operation of the modified SIF:
Performance of a Safety Protection Layer for the original design intent
Materials of construction
Mode of operation
Operating procedures
Alarm and trip settings
Speed of response
Testing intervals or methods
Device type, other than replacement in kind
Architecture or voting logic
Diagnostics
Dependent on the nature of the repair work, which has been completed, functional testing after repair to a
SIF component may include the following activities. When the test does not involve a complete functional
test of the component, the test does not alter the specified SIF testing frequency.
1) Single input: exercise sensor input and verify alarm and trip setpoints are correct then observe
output(s) action. Confirm the process sensor is still connected to the correct input. Use the
applicable section of the SIF test procedure and complete the required documentation for the
equipment checked.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
18
2) Single output: exercise all inputs that will actuate desired final control element and observe output
action. Confirm final control element is connected to correct output. Use the applicable section of the
SIF test procedure and complete the required documentation for the equipment checked.
3) Logic: perform a complete functional test of all SIF affected by the repair using the functional test
procedure and complete all documentation. Check for cross contamination in the application
software/logic by monitoring for unexpected actions across/between SIFs.
Follow-up testing of individual components in a SIF may be considered at intervals shorter than the
complete functional test of the SIF to improve the performance capability of the SIF. Factors, which can
impact the frequency of these tests, include
sensors and final control elements installed in severe environment;
accuracy of measurements required for safety;
need for positive isolation of streams by valve action;
mechanical wear and tear on components; and
desire for longer test interval between complete functional tests.
6.1.2
Sensors (transmitters, switches)
Whether switches or transmitters are used for input signals impacts testing requirements. Transmitters
provide signals which indicate the current status of the variable being measured. This gives an indication
that the input device is functioning. A switch on the other hand gives no indication of its status until the
process variable passes through the trip point of the switch. Therefore, it may be necessary to test
switches more often than transmitters used as input devices to SIF.

||
|
||||
|||| ||
||||
||| || | ||| || |
|
The incorporation of internal or external diagnostics in the SIF design often results in the reduction of the
required test interval due to the ability to detect faults on-line. Diagnostics may not be able to detect all
faults of the component. For example, a plugged tap may not be detected by internal diagnostics within
the transmitter, but may be detected using external diagnostics (i.e. comparison of redundant transmitter
analog signals using a PE logic solver). Consequently, any diagnostic should be carefully evaluated to
determine which faults could be detected by the diagnostic prior to using the diagnostic as justification for
reduction of the testing interval.
--
It may also be appropriate to establish a maximum period of time between full functional tests of SIF that
does not exceed 3-5 years. Few processes can operate for longer periods of time without some
maintenance activity requiring process shutdown, and test schedules should not range beyond these
shutdown schedules. There may also be some questions concerning the applicability of the failure rate
data used in the SIL verification calculations and subsequent test interval determination that would point
toward setting maximum test intervals for the SIF.
|---
In selecting a test interval for an SIF to match the SIL determined during the hazard and risk analysis of
the process, the severity of the process characteristics should be considered. For example, a shorter test
interval might be used initially for process fluids that are known to be more severe (corrosive, erosive,
tending to plug, etc.). The minimum test interval should be determined by the user based on the SIL
assigned to the SIF. Typically, annual testing is a reasonable starting point for the determination, which
should include the examination of the component failure rate in the operating profile, the voting
architecture, and the component diagnostics. The test interval chosen should be re-evaluated
periodically and adjusted accordingly, based on the results of several functional tests. Based on user
experience, shortening the test interval will not correct a faulty design or equipment problem. Instead,
shortening the test interval will at most only allow earlier detection of an equipment problem.
19
ISA-TR84.00.03-2002
Transmitters can also provide diagnostics such as out-of-range high/low and out-of control range
indications which switches cannot do. Such diagnostics may reduce the frequency of testing required for
transmitters.
The calibration stability of an input device may require testing frequencies that are shorter than that for
the complete SIF. Devices that are known to drift due to environmental changes in temperature, for
instance, may require more frequent testing and calibration to ensure proper process variable input to the
SIF. Devices that maintain their calibration stability through wide changes in temperature may not require
frequent testing as long as a signal consistent with other process conditions is being transmitted from the
device.
Redundancy of components may impact their testing frequency. Where redundant sensors have their
outputs monitored and they are compared with each other, agreement usually means viable
measurements which do not need frequent testing or calibration. When the outputs drift apart, testing or
calibration is indicated for all the redundant components.
Diversity in the detection of the hazardous condition can provide a means to improve the SIF availability
without adding redundant components. For instance, a pressure measurement may be used in
redundancy with a temperature measurement for some process conditions. A comparison of the
temperature and pressure to expected thermodynamic data can provide diagnostics on the validity of the
process measurements, reducing the required testing interval.
User experience with specific sensors and service should be used in determining the test frequency of the
device to ensure proper performance of a sensor.
Some companies require yearly performance checks of sensor calibration and verification of set points.
Other companies have established testing frequencies based on past history with the equipment they
use. Established company policy for testing frequency should take precedence if more frequent
than the guidelines of this document.
6.1.3
Logic solvers (E/E/PE)
-|
||| || | ||| || |
||||
|||| ||
When changes are made to the logic solver, the potential effects of these changes must be evaluated to
determine how much of the E/E/PE must be tested. If the program changes can be isolated to a
particular section, and it can be shown conclusively that the change does not impact other logic
implemented in the logic solver, only that section needs to be fully tested (complete functional test). This
applies to logic whether it is electromechanical relay based, solid-state relay based, pneumatic, or
Programmable Electronic System (PES) based. Where Watch Dog Timers (WDT) are implemented as
external diagnostics on PE logic solvers, they should be tested at the same frequency as the logic solver.
For guidance in testing WDT see the American Institute of Chemical Engineers, Center for Chemical
Process Safety, guideline series book, Guidelines for Safe Automation of Chemical/Petrochemical
Processes.
||||
|
||
|---
Some companies require that functional performance of logic solvers be verified on a schedule that
ranges from one year to several years depending on the risk associated with the process, the complexity
of the logic, and company experience with the logic solver being used.
6.1.4
Final control elements (valves, motors)
Valves used for final control elements should be tested when full system functional tests are performed.
They should be tested at the frequency used in the performance calculations for the SIF. Final control
element (valves) should be tested each time the process is taken out of service. This can typically be
performed by verifying appropriate operation of all valves when the process is taken out of service (either
manually or due to a failure of some nature that caused the process to trip). For batch operations,
verification of proper operation during each batch should provide this function.

ISA-TR84.00.03-2002
20
Other devices used as final control elements such as motors should be tested at the frequency used in
the performance calculations for the SIF.
Frequency of testing valves as final control elements depends on a number of factors:
Type of valve used as the final control element
Service in which the valve is applied
Whether the valve is used during normal operation or as a standby valve for use only when the SIF
takes action
Whether the valve must provide minimal leakage isolation or some leakage can be tolerated
Whether the valve actuator has a spring to drive it to the safe state or it depends on motive power to
drive it in both directions
When testing final control elements, auxiliaries such as valve positioners, position or limit
indicators/sensors, air pressure regulators, etc. should be tested at the same frequency as the valve.
6.1.5
HMI
The Human Machine Interface (HMI) should be tested at the same frequency as the full SIF. When
changes are made to information displayed in the HMI, the changes should be tested to confirm
appropriate status is displayed. If the HMI is used to initiate the SIF logic, all devices associated with the
initiation should be tested, including the HMI, output circuit, and final element.
6.1.6
Communications
Communications between the SIF and other control equipment such as the Basic Process Control
System (BPCS) should be tested at the same frequency as the SIF. When completing full functional tests
of the SIF, the testing should include all communication to auxiliary equipment such as the DCS. When
changes are made to the communications links between the SIF and any other equipment, testing should
confirm that appropriate information is being communicated.
6.2
Deferral of scheduled testing of SIF
Documented justification for deferral of scheduled inspection and/or testing activities should make use of
failure rate data and/or quantitative methods to establish that the design intent and the performance
requirements are not compromised. Company or plant-specific failure rate data for the process of
concern should be used when available, because this provides the best estimation of component
performance. When company or plant specific data is not available, published failure rate data can be
used as long as it has been determined that the data agrees with past operational experience and
includes the failure modes of interest. The method(s) used for validating the failure rate data should be
appropriate to the complexity of the system and the severity of the event consequence.
Scheduled testing of SIF may be deferred if it meets the following criteria:
The equipment that the SIF is protecting is out of service. An analysis of the impact of such a deferral
on the SIF provided should be made prior to the decision to defer. The SIF should be tested prior to
the equipment being returned to service in this case.
A plant turnaround is scheduled shortly after the scheduled full functional test of the SIF. This turnaround
will allow a complete functional test of the SIF. The time period of this delay should not result in a
compromise of the SIF or its safety integrity level. When the SIF is designed with the intent to be full
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

21
ISA-TR84.00.03-2002
functional tested every three to five years, the time delay should not exceed three months unless a safety
assessment has determined that the longer delay would not compromise the SIF.
See Annex B for an example of a deferral procedure for SIF testing. The approval process, including
levels of management and technical responsibility required for deferring a scheduled test, should be predetermined, understood, and documented before an SIF is put into service
6.3
6.3.1
How to perform off-line testing of SIF

General guidelines
This clause will outline techniques for performing tests that have been proven and some proposed
techniques, including automated techniques that can achieve adequate off-line testing of SIF. The
advantages and disadvantages of each technique will be discussed where appropriate.
A key question concerns whether testing of the SIF must be done as an integrated system or whether
various parts of the SIF can be tested at different times and credit be taken for the testing required to
achieve the SIL specified. The requirement for testing stated in ANSI/ISA-84.01-1996 does not say that
all testing of the SIF must take place at the same time. However an integrated test must be performed as
the Pre-startup Acceptance Test (PSAT) (ANSI/ISA-84.01-1996, clause 8.4), prior to introduction of
hazardous chemicals to the process, to ensure that the SIF can provide the functionality specified in the
safety requirement specification. After that, the user is free to structure testing consistent with the
integrity requirements of their SIF.
-|
||| || | ||| || |
||||
|||| ||
It is highly recommended that a complete functional test of the SIS including all implemented SIF be
performed on some prescribed interval to ensure proper functioning of the entire system. Where the
dynamics of the entire end-to-end SIF is cruciali.e., the thermowell, the T/C, the transmitter, the input
cycle time, the logic cycle time, the output signal cycle time, as well as all necessary components of the
final control elements, such as volume boosters, pneumatic tubing size and lengththe complete SIF
should be tested together to ensure specification compliance.
||||
|
||
|---
Why would a user desire to perform non-integrated testing of the SIF? Testing is looking for dangerous
unrevealed or covert failures that have taken place and would prevent a SIF from performing its function.
Whether these are uncovered piecemeal or in a total integrated functional test is immaterial. The
important factor is that they are discovered and corrected before a demand is placed on the SIF and it
cannot perform the specified function.
The properly applied logic solver is generally the most available component of the SIF and thus should
require complete tests less frequently than the field devices. Sensors can easily be tested on-line when
provisions for testing and/or device redundancy is included in the design. Valve testing may require
bypassing in order to perform a full functional test, when a short interruption of the process cannot be
tolerated. But, the valve may be partially tested while in operation with a complete functional test
performed off-line. Any partial testing should be evaluated to determine which failure modes and
components are tested during the partial test, so that this can be considered in the SIL verification
calculations. It should be emphasized that provision for this non-integrated testing of SIF components
must be factored into the SIF design as required in ANSI/ISA-84.01-1996, Clause 7.9 and into the SIL
verification for the SIF.
Many recognized and generally accepted good engineering practices such as NFPA and FM suggest online testing of valves using the process chemicals at normal operating pressure to do performance
testing. This often provides better validation of the functional performance of the valve and can be a costeffective alternative to removing the valve and taking it to a calibration facility. This type of testing could
be performed as a part of a scheduled shutdown of the process with the appropriate documentation of
results.

22
ISA-TR84.00.03-2002
6.3.2
SIF component calibration and performance validation
All components of the SIF should be calibrated prior to placing the SIF in service. Calibration test
equipment traceable to a recognized standards performance organization should be used to perform a
minimum three-point calibration (5%, 50%, 95% to prevent scaling errors) over the full signal range of the
loops sensor/transmitter to the final readout device. Valves should be calibrated to proper stroke length
for full open and full closed positions. Any valve that is not required to close or open to full stroke position
should be calibrated to the appropriate position prior to placing the SIF in service.
6.3.3
Calibration procedures
Calibration procedures should be available for each type of component in the SIF. In general, calibration
procedures recommended by the manufacturer of the component should be used. Where additional
requirements (e.g., response time of sensors or valves) are necessary to meet the specified function in
the SIF, these should be taken into account in the calibration procedures.
Procedures for calibration of SIF components should include a final step in which Operations verifies the
reasonableness of the newly calibrated, field sensor(s) actual process readings. This step is very
important to minimize the likelihood of a Common Cause Failure (CCF), during calibration of redundant
process sensors.
NOTE Common cause calibration failure can arise where redundant sensors are calibrated at the same time by the same person
using the same test equipment or standard. Where an instrument technician mis-calibrates one sensor, he/she is very likely to miscalibrate the other(s). Special concerns for these failures arise in calibration of redundant process analyzers using a single mixed
sample and SIL 3 safety controls in batch processes.
Calibration procedures and/or vendor technical data that include step-by-step

calibration instructions applicable to each SIF component are available.
Safety instruments not

covered in specific
Maintenance Staff
Training
Skilled staff using manufacturers step-by-step calibration instructions to

calibrate devices that are not part of the staff maintenance qualification
process.
Process Analyzers
Analyzer calibration may require special considerations in addition to using

the manufacturers step-by-step calibration instructions.
Example: Limited availability of check-gas may make executing a standard
three-point calibration difficult. A calibration procedure that proves operation
using one known composition sample that is close to the safety-critical trip
point is often adequate.
Many field devices require periodic calibration and checkout to ensure that the process service has not
affected the devices ability to respond to process changes. The use of redundancy in process
measurements will allow early detection of many device failures, reducing maintenance costs by focusing

|||| ||
||||
Trained staff using plant procedures and/or technical data on an as-needed

basis when performing periodic component calibrations.
||| || | ||| || |
Most SIF Components
Calibration Tasks and Resources
--
Devices Being Calibrated
||||
||
Table 1 Calibration work p rocess for SIF components
|---
Table 1 offers guidelines for calibration tasks and resources for calibration of SIF components:
23
ISA-TR84.00.03-2002
efforts on known problems. An example of what might be achieved in a reasonable process service with
instrumentation redundancy is as follows:
Smart pressure transmitters can go 2 to 4 years between calibrations.
Coriolis and magnetic flow meters should not be calibrated unless there is evidence of a problem.
(Coriolis and magnetic flow meters should be calibrated using a prover loop at turnaround.)
Smart four-wire RTD transmitters should only be calibrated if there is evidence of a problem.
Smart thermocouple transmitters can go 5 years between calibrations.
Vortex meters should only be calibrated if the kinematic viscosity permanently changes.
Radar level gauges should only be calibrated if vessel internals change.
Smart nuclear level gauges should only be calibrated if process density permanently changes.
Smart digital positioners on valves should only be calibrated when valves are overhauled.
6.4
Component testing
Both general and specific guidelines are presented in the following clauses for performing off-line testing
of SIF components.
6.4.1
General guidelines
Verify permissive values of field sensors and any other devices such as timers used in permissive logic.
Note that permissive logic may have manual or logic implemented bypass capability for startup. Both
techniques, if provided, should be tested prior to placing the SIF in operation. Verify all alarms and or
lights associated with each sensor and switch by observing and documenting correct indication when
alarm conditions are reached. See Annex P for a model procedure for testing permissive logic.
Verify all hand trip switch action by observing and documenting observed action when switch is actuated.
An example of a test procedure for a simple SIF is shown in Annex Q.
Table 2 provides general guidance on testing required for verifying proper operation of components
typically used in SIF.
______
1
Process/Industrial Instruments and Controls Handbook, edited by Gregory K. McMillan, Fifth Edition,
copyright 1999.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

24
ISA-TR84.00.03-2002
Table 2 Tests performed t o verify operation of SIF components
To verify the operation of

sensors
logic solver
alarm functions
final control elements
Test
the operation of the complete field sensor, including

-
primary sensing element,
switch or transmitter,
wiring, and
logic solver input module.
the operation of the logic solver, including

-
hardware and software associated with each input device,
combined inputs,
trip setpoints,
operating sequence,
diagnostics, and
computations.
operation of alarm functions and readout, including the alarms that signal the bypass of
automatic trips
the operation of the complete final control element, including
--
logic solver output module,
wiring,
actuation device (e.g. relay or solenoid), and
final control element affecting the process operation.
||| || | ||| || |
||||
safety system functions
|||| ||
||||
|
||
|---
individual SIF and complete system functionality,
speed of response, when a safety parameter must act in a specified period of time,
manual trip function to take the SIF outputs to a safe state,
user-implemented diagnostics, and
SIF operability following testing.
NOTE A separate manual trip function, which is not dependent on SIF logic solver, is
recommended per ANSI/ISA-84.01-1996 and this function should also be tested.

25
ISA-TR84.00.03-2002
Where repair or replacement of SIF components has taken place, the guidance in Table 3 may be used.
Table 3 Calibration and te sting guidance for repaired or replaced components

in SIF
Field Device
Calibrate the transmitter; verify switch setting and valve stroke
Verify correct operation of replacement/repaired component in the SIF;

e.g.,
Examples:
transmitters
computational relays
switches, and
valves.
Logic Solver and/or

I/O module
All
Functional testing of all inputs and outputs of the repaired or

replaced component.
Functionally verify correct signal flow from replacement
transmitter-to-next component in SIF (typically the Logic Solver)
Functionally verify correct signal flow from Logic Solver to
replacement valve
Input-to-output functional tests of a replaced Logic Solver component

(e.g., a CPU card, and I/O module) is not necessary if the Logic Solver
system contains internal self-diagnostics and reporting that verifies
component operability.
Document the component calibration and performance verification.
6.4.2
6.4.2.1
Component specific guidelines

Sensor testing transmitters
Testing sensors may involve (1) use of process to drive transmitter, (2) simulating the sensor input via
appropriate measurement source, or (3) simulating the sensor output via a mA simulation tool. The
particular technique used should be specified in the test procedure for the SIF. Using the process to drive
the transmitter will provide assurance the transmitter can measure the process conditions but this
technique may not always be available if the process is not in operation. Using simulated measurement
input to the transmitter is probably the most reliable and available technique. This technique tests the
function of the transmitter, the wiring, and the receiving device. Using a current simulation on the output
tests the wiring and the receiving device but does not test the transmitter function.
Measure the sensor output conditions; if the output is linear, measure the output level with respect to the
current process condition such as temperature, pressure, product level etc.

Check the power line-to-ground voltage and the phase angle between the current and voltage for each
phase line for motors, heaters etc., where applicable.
--
Measure the power supply voltage, AC or DC, for the SIF components and verify that the power is within
the acceptable range (AC 2.5 volts; DC 0.4 volts).
||| || | ||| || |
||||
A test to confirm SIF action on total power supply failure should be carried out and if battery supplied
power is provided, it should also be tested to confirm that desired time of backup is available.
|||| ||
||||
||
|---
NOTE Documentation for replacement of a Logic Solver component

includes recording diagnostic information observed that proved component
operability.
26
ISA-TR84.00.03-2002
Sensor testing will vary depending on the type of sensor used. The guidelines which follow outline
proven in use techniques for verifying sensor operation in the SIF.
Root valves on all sensors should be verified open at end of test. Secondary valves, manifolds, vents,
etc., on all sensors should also be verified as being in the in the service condition at end of test.
Each individual components off-line condition should be checked and verified based on the expected
value with respect to the process off-line conditions.
6.4.2.2
mA pressure transmitter
Refer to Annex NN for example procedure for testing mA pressure transmitters.

Table 4 is an example of a way to document test results for this testing.
Table 4 Sample documen tation for high alarm and trip settings
Pressure
Input
Input Range
P1234
(0-xxx psi)
(0-yyy
H2O)
High PreAlarm
Setpoint
P1234
(xxx psi)
(yyy H2O)
High Trip
Setpoint
P1234
(xxx psi)
PreAlarm
Setpoint
PreAlarm
Setpoint
(As
Found)
(As Left)
Trip Setpoint
Trip Setpoint
(As Found)
(As Left)
(yyy H2O)
(zzz mA)
(zzz mA)
PT1234
Note that this same procedure can be used for differential pressure transmitters with the appropriate test
equipment.
6.4.2.3
mA temperature transmitters
See Annex PP for example procedure for testing mA temperature transmitters.

6.4.2.4
mV temperature transmitters
See Annex QQ for example procedure for testing mV temperature transmitters.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

27
ISA-TR84.00.03-2002
Table 5 is an example of how temperature transmitter testing might be documented.
Table 5 Sample documen tation of high temperature alarm and trip settings
-|
||| || | ||| || |
T/C Input
T/C Fault
(Upscale
Burnout)
||||
|||| ||
T1234
Input
Range
T1234
(0-xxxx
Deg F)
High Prealarm
Setpoint
T1234
Pre-alarm
Setpoint
Pre-alarm
(As found)
Setpoint
(As Left)
High Trip
Setpoint
Trip
Setpoint
Trip
Setpoint
T1234
(As
Found)
(As Left)
(xxx Deg F)
( xxx Deg F)
||||
TE1234
|
||
|---
6.4.2.5
Process analyzers
Process analyzers should be calibrated in accordance with manufacturers specific instructions.

Signals from process analyzers to SIF are typically current signals representing values and ranges of
components being measured. Verification of correct setpoints for pre-alarm and trip values should be
done using current sources in like manner to that for other current transmitters. (See Annex NN.) As
found and as left values for pre-alarm and trip setpoints should be documented.
6.4.3
6.4.3.1
Sensors switches
Pressure switches
See Annex RR for example procedure for testing pressure switches.

6.4.3.2
Temperature switches
See Annex N for example procedure for testing temperature switches.

6.4.3.3
Level switches
Testing of level switches can be performed using the procedure outlined in Annex K. This procedure was
developed for use in on-line testing but is applicable for off-line testing as well.
6.4.4
Miscellaneous sensors
This clause will offer guidance for testing a variety of sensors that might be included in SIF.
6.4.4.1
Vibration monitors
Refer to Annex C for example procedure for testing vibration monitors.

6.4.4.2
Thrust position monitors
Refer to Annex C for example procedure for testing thrust monitors.

ISA-TR84.00.03-2002
6.4.4.3
28
Overspeed trip
See Annex D-1 and D-2 for example procedures for testing overspeed trip logic.
6.4.4.4
Permissive start of turning gear motor
See Annex E for example of a turning gear motor permissive start test procedure.
6.4.4.5
Lube oil pump auto start test
See Annex F for example procedure for lube oil pump auto start test.
6.4.4.6
First out alarm tests
See Annex G for example procedure for testing first-out sequence alarms.
6.5
Logic solver test procedures
Use SIF-specific functional test procedures when testing the logic solver. Functional test procedures may
include
written procedures;
logic diagrams;
control loop drawings;
electrical control schematics; and/or
checklists.
Using HMI, test each SIF manually by creating each fault condition and verifying proper response on the
HMI and observation of the final control device(s).
-|
||| || | ||| || |
||||
Using PLC programmer for the logic device being tested and HMI screen, test the logic programmed
function by function. Thoroughly check and verify the internal scaling factors for calibration and test
range limit flags with manual input and output value variation. Test each individual sensor, the measured
value with separate certified Test Meter and the value measured in PLC. Verify that the PLC value is
scaled to match the Test Meter measured value. Performance should be considered unacceptable if
variation between Test Meter measurement and Logic Solver indicated values exceeds 2% of
measurement range.
|||| ||
Validate logic solver performance by executing the appropriate procedure from the following tests.
||||
|
6.5.1
Complex application logic systems
||
|---
For an example functional test procedure for a complex application logic system, refer to Annex H.
6.5.2
PLC logic solvers connected to field devices
An example of a test procedure for complex logic that involves field devices also in included as Annex R.

29
6.5.3
ISA-TR84.00.03-2002
PLC logic solvers connected to simulators Hardwired simulators
Some companies have developed hardwired simulators for use in testing PLC logic. These simulators
consist of panels with potentiometers, lights, and switches to represent all input devices and lights to
represent output device positions. The simulators may be connected to the input terminals of the PLC
directly or an arrangement using plug connection cables may be used. With the simulator connected, a
procedure which exercises all possible combinations of logic that the PLC might encounter is conducted
to validate that the logic solver will perform as required for each safety function implemented. In some
instances the simulation panel is arranged graphically to represent the process being protected. When
this is done, the simulator can also be used as an operations training tool for the SIF functionality.
6.5.4
PLC logic solvers connected to simulators Software based simulators
-|
||| || | ||| || |
||||
Some companies have developed software-based simulators to accomplish the testing described in the
clause above. In this instance, the test program is developed in application software using another PLC
or in some instances a personal computer. Connection to the logic solver for testing is similar to above.
However, the use of such a simulation requires complete validation of the embedded, application and
utility software in the simulator prior to testing the SIF Logic Solver. The software simulator might also be
used in training operators in the functionality of the SIF. In some instances this software simulator might
operate in an automated mode in performing the test.
|||| ||
6.5.5
PLC logic solvers not connected to field or simulators
||||
|
||
|---
Testing PES based logic solvers that are not yet connected to field devices or a simulator is limited to
manual testing of application logic using the PES configuration device. This type of testing primarily takes
place during the initial programming and configuration phases of the PES implementation for the SIF
application. Since changes are numerous during these phases, formal documentation of this "testing"
should not be necessary. The final application logic documentation should reflect the results of this
testing.
6.5.6
Electromechanical relay logic solvers
See Annex T for an example of a procedure for testing an electromechanical relay based SIF.
6.6
Testing of final control elements
Manually open or close valves and start or stop motors individually. In some applications, this test might
have to be repeated 2 or 3 times to ensure proper functioning of the valves. Failure to properly open or
close on the first attempt might be considered a failure by some companies and repeating the test 2 or 3
times to see the valves function would not ensure proper operation when the SIF called for a trip. Others
might just want to see the valves operate more than once to obtain a confident feeling of proper
functioning.
Manually change the output value for linearly controlled devices such as control valves. Observe the
response of the device by watching the feedback value on the HMI and directly at the device. Document
response of each valve in field and indication on HMI.
A test of the SIF valve should determine whether the valve can meet the functional requirements provided
in the safety requirements specification. In addition to full stroke testing, the valve test may involve leak
testing in cases where the valve has been specified with a maximum leak rate. Stroke times may be
determined and recorded if valve stroke speed is critical. Stroke time should include the time from output
signal change to valve position change, not just from start to finish of valve stroke. It has been shown

ISA-TR84.00.03-2002
30
that the pre-stroke dead time as actuators fill or exhaust and achieve breakaway force on the valve is
generally the longest time component of the total stroke time.
Leak testing of SIF valves may require installation of bleed valves with pressure gauges downstream of
the valve so that the valve can be monitored for positive shutoff. The burner management standard
2
NFPA (8502) gives guidance on this for fuel valves to furnaces and boilers that is also applicable to other
process valves requiring positive shutoff.
6.7
Testing solenoid valves
Verify solenoid valve normal and trip condition status. If solenoid is normally energized during process
operation, verify that coil is energized and no air is venting through vent port. If solenoid is normally deenergized during process operation, verify that coil is de-energized and vent port is open to vent. Deenergize or energize coil as required and verify that air is either vented from valve actuator or applied to
valve actuator as required by SIF logic. Verify that solenoid installed position allows gravity assist in
taking valve to de-energized position. For examples of testing solenoid valves see example procedures
for testing of final control elements (Annexes W, Z, DD, and MM).
6.8
Testing of HMI
All indications of SIF variables that are displayed on a human machine interface whether they be the
BPCS operator workstation, a separate operator display station, or lights on a panel should be verified as
each variable is tested. The correct range of process variable, the pre-alarm and trip setpoints, and any
other variable information that is provided should be verified and documented during the testing. Both as
found and as left values should be documented. Where multiple pages (video, CRT, etc.) of SIF
information are provided, all displayed pages should be verified for appropriate labeling and access
control.
If the HMI is used to initiate output functions for the SIF such as may be the case in batch control
applications or a manual shutdown function, this function should also be tested.
6.9
Testing of communications
Where provided all communications with other systems such as the BPCS should be tested to verify
correct transfer of information and data from the SIF to the other system(s). All information transferred
should be verified by comparing the sent information with the received and displayed information on the
system(s) other than the SIF.
Techniques used for blocking communications from the BPCS operator workstation to the SIF logic
solver, especially those used to prevent unintended logic changes to the SIF application software, should
be validated. Attempts at changing logic in the SIF should be made from the BPCS operator workstation
to verify that this action cannot take place. The security technique used to protect against changes to
logic from the configuration station should also be tested. If this involves connecting the configuration
station only when changes are to be made, verify that another PES station cannot perform this function.
If password protection is the technique used, verify that the password cannot be easily discovered
through normal hacking in computer software. This is especially important if the SIF display station is
also used as the configuration station with key lock and or password protection.
Where a separate operator display station is provided for the SIF, tests should confirm that changes to
logic in the SIF logic solver cannot be made from this station.
______
2
NFPA 8502, published by the National Fire Prevention Association.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

31
ISA-TR84.00.03-2002
6.10 Final SIF test procedures

Verify that all inputs, outputs and logic are in correct state at end of test and ready for process startup to
proceed. This includes removing all bypasses, jumpers, etc. and returning all final control elements to
pre-startup positions. Verify that any temporary jumpers used for bypassing are accounted for by
comparing to list provided for each SIF. See Annex J for example of a jumper control list.
Perform a final inspection on the logic solver and all SIF components. The intent of this inspection is to
make sure all work on the SIF is complete and that the system can safely be returned to normal
operation. The inspection should include, but not be limited to, the following items.
Verify that all alarms are cleared. Exceptions might be low process variable alarms that cannot be
satisfied until process has been advanced to some operation state other than out of service.
Verify that all problems and failures identified have been addressed.
Check any components and devices that were replaced to ensure proper working condition.
Verify all switches and hand switches are in their proper positions.
Visually inspect all SIF pressure and instrument gauges to insure proper working condition.
Visually inspect tubing, wiring terminations, and wiring to insure that they are secure. This might
include actually trying to pull wire from the connections.
Verify that all final control elements are in the correct position for the process out of service state.
Verify that all instrument air supply regulators are at their proper settings.
Verify that field junction boxes and housings are secured and weather tight.
Verify that all wiring conduit and conduit access plates are secure and weather tight.
Verify that all process root valves to transmitters and switches are open and any bleed valves are
closed.
On-line testing
Successful on-line testing requires planning, design provisions, and procedures. When possible, the SIF
should be designed to minimize or eliminate the need for bypassing or jumpers for testing. Any installed
equipment for on-line testing, such as bypasses or instrumentation, should be thoroughly tested, along
with its associated logic during commissioning. Detailed test procedures are essential for on-line testing
to ensure that the test is correctly implemented. It is important to emphasize that any on-line testing
presents the risk of a process upset or unintentional shutdown as the result of an incorrectly performed
test.
7.1
Preparation
Prior to any on-line testing a review of the tests to be conducted and the procedures for performing these
tests should be carried out by persons from instrument/electrical maintenance, operations, and technical
who are familiar with the process and the SIF. This group should review the following items at a
minimum:
Discuss the importance of operators on shift being given notification that a SIF system is about to be
tested or worked on.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
32
--
Review the SIF system description.
Review the SIF system functional test procedure.
Discuss whether the on-line test will affect other systems, such as the BPCS, alarms, or other SIFs.
Discuss the work scope, exactly what will be checked, what flows, pressures, temperatures, levels,
etc.
Discuss why craftsman should notify the operator when activating each alarm.
Discuss what devices will no longer function when bypassing the system.
Review with Operations any special precautions required during the test.
Discuss what operations and maintenance should do if an unplanned SIF trip occurs while the input
being tested is in bypass.
Discuss what operations and maintenance should do if the operator must initiate the SIF while the
bypass is in place.
Discuss what procedures will be used to ensure that the SIF is returned to service once the SIF
testing is complete; e.g., automatic verification, independent review, etc.
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
7.2
When should on-line tests be performed
On-line testing should never be performed when it would compromise the safety of the process.
The SIF components should be calibrated based on the plants Preventative Maintenance (PM) schedule
for the process equipment. The calibrations should be performed according to the company calibration
procedures.
On-line testing may be necessary where the normal operating cycle of the process between scheduled
shutdowns is greater than the test interval used in evaluating the SIF for its integrity level. Maintaining
the required integrity of the SIF requires that this test interval be maintained. Therefore, the testing of
some SIF will require doing the testing on-line.
Testing SIF on-line introduces stress on both the process and those performing the testing. It is therefore
imperative that on-line testing be performed under closely controlled conditions using procedures that
have been proven. This section will outline guidelines for when such tests should be performed and how
this can be accomplished without compromising the safety of the process.
7.2.1
Sensors
Process sensors that are going to require on-line testing should generally be installed with some level of
redundancy to allow testing of one sensor while another is still making the necessary measurement. If
on-stream reliability of the process is critical, a 2oo2 or 2oo3 voting of sensors may be used. The
designer then determines whether bypasses will be used to facilitate testing. For either 2oo2 or 2oo3
voting, one sensor can be tested at a time without the need for bypasses. When on-line diagnostics are
used to detect transmitter failure, the designer determines whether the voting logic will be changed. For
example, the logic for the SIF may be reduced from 2oo3 voting to 1oo2 if a failed transmitter is voted
toward the trip condition. In contrast, it would reduce from 2oo3 voting to 2oo2 if the failed transmitter is
voted away from the trip condition. If a 1oo2 configuration is used for sensors, a bypass will be necessary
to allow on-line testing of each sensor while maintaining measurement capability with the other sensor.

33
ISA-TR84.00.03-2002
Logic during such a test will reduce to 1oo1, which is a lower SIF integrity than the 1oo2, and appropriate
precautions should be taken during the testing to ensure safety is not compromised.
The testing frequency for sensors can be more or less frequent than that of other SIF components
depending on the MTTF of the components used and the voting configuration. Where analog sensors are
installed in redundant configurations, the testing interval for individual sensors can often be extended due
to diagnostic coverage provided by analog signal comparison and alarming on deviation of the signals.
Testing and calibration of the sensors would then be performed when the deviation alarm is generated.
Depending on the voting configuration, on-line testing may not be necessary to maintain SIF integrity.
This assumes that common cause failures such as mis-calibration of all three sensors has been
accounted for in the calibration procedures.
7.2.2
Logic solvers
Testing of logic solvers for SIF is not practical while the process is on-line. Therefore the full functionality
of the logic solver should be tested and validated prior to placing the SIF in operation as a layer of
protection for the process. Further testing of the logic solver should be performed at the scheduled down
time for the process and any time the SIF is taken out of service for logic changes.
-|
||| || | ||| || |
7.2.3
Final control elements
||||
|||| ||
||||
|
||
|---
Final control elements often have limited on-line diagnostic capability. Consequently, final control
elements generally contribute the greatest amount toward the probability to fail to function when a
demand is placed on the SIF. These devices typically remain in one position for long periods of time
without moving until they are called on to respond to a process demand. Final control elements may also
be installed under process operating conditions that can be severe, e.g. corrosive, plugging, or
polymerizing services. They also contain many moving parts which must function together to accomplish
the desired action they are to perform. Since the test interval to achieve the required safety integrity is
often shorter than the turnaround interval for the process, on-line testing of final control elements
becomes a desirable alternative.
Whether simplex or redundant valves are utilized, on-line testing requires additional design provisions,
e.g., full flow bypasses, partial stroke testing equipment, test instrumentation, etc., to allow testing to
occur without process interruption.
Final control elements may have common components, which could render multiple devices unavailable
when these common components fail. For example, if air were used to move valves, which are used for
process isolation, the loss of air supply would be a potential common cause failure. If the air supply fails
to provide the necessary pressure or volume to move either of the valves, the SIF will fail to accomplish
its design function.
The testing interval required to achieve the SIF integrity is affected by the severity of the service the valve
encounters. Temperature (high or low), erosion, corrosion, and polymerization are a few of the factors
which may have an impact on the required testing interval. In many cases, on-line testing is required in
order to achieve the SIF integrity. On-line testing may consist of a full functional test or a partial test of
the valve failure modes. When on-line diagnostics or partial stroke testing is used to supplement full
functional testing, an assessment of the failure modes detected by the diagnostics should be performed.
The diagnostic coverage factor used in the SIL verification should be substantiated by failure modes and
effects analysis (FMEA). Many users limit the coverage factor assumed in the SIL verification to a certain
maximum, e.g. 60%.The SIL calculation is then performed by splitting the PFDavg calculation into two
parts. A portion of the valve failure modes is tested at the partial stroke testing frequency. The remainder
of the valve failure modes is tested at the full stroke testing frequency.
A visual inspection according to an approved procedure should be carried out regularly, e.g. every three
months. See Annex O for a sample procedure or checklist for this visual inspection.

ISA-TR84.00.03-2002
7.2.4
34
HMI
Testing of the HMI during normal operation of the process should be done any time that there is an
indication of a malfunction of the HMI display itself. This could result from a fault in an input to the display
or a fault in the display component itself. When repairs are made or a HMI is replaced, all features of the
original HMI specified for the SIF should be tested.
The HMI should also be tested on the same schedule as the logic solver.
7.2.5
Communications
Communications between the SIF and other systems should be tested on the same schedule as the logic
solver and at any time that there is an indication of a malfunction of the communication link. If
communication with another system has an impact on the safety integrity of the SIF, the test interval
included in the integrity evaluation should be used. Any on-line testing of a communication link should
not reduce the capability of the SIF to perform its function.
7.3
7.3.1
Performing on-line testing

Precautions
On-line testing should not be started unless it can be worked step by step to completion with no
anticipated interruptions. Once the inputs or outputs are bypassed, a dedicated control system operator
should monitor the process continuously using means independent of the SIF. The operator should be
capable of initiating a manual trip of the SIF or other installed systems in the event of a process demand
during the test. Once the manual block valves are opened or closed, a dedicated field operator should be
available to open or close the block valves quickly if a process demand occurs. All personnel involved in
on-line testing of the SIF components should be aware of the mitigation steps to take in case a process
demand occurs while the testing is in progress. The following caution should be included at the beginning
of all on-line test procedures:
CAUTION THE OPERATOR (S) MUST FULLY UNDERSTAND AND BE PREPARED TO
IMPLEMENT THE MITIGATION PLAN FOR THIS PROCESS IN THE EVENT THAT A TRUE TRIP
DEMAND OCCURS DURING THE CONDUCT OF THIS PROCEDURE.
Similar to the off-line testing procedure, measure the power supply voltage, AC or DC, for the SIS
components and verify if the power is within the acceptable range. Test values should be within 2% of
normal values.
Check the line-to-ground voltage per line.
7.3.2
Sensors - Transmitters
Several examples of testing sensor (transmitter) logic on-line in SIS are shown in Annexes L, M, and V.
In each of these procedures a slightly different approach is used but all of them accomplish the same
result of verification of sensor operation and logic in the SIS.
7.3.3
Thermocouple test for 2oo3 configuration
See Annex Y for model procedure for performing a 2oo3 test of thermocouple operation and logic in SIF.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

35
7.3.4
7.3.4.1
ISA-TR84.00.03-2002
Sensors Switches
Level switch technique
See Annex K for example of a procedure for on-line testing of a level switch.
7.3.4.2
Pressure switches
Pressure switches can be tested on-line using the same procedure as off-line tests with provision for
bypassing the input during the testing.
7.3.4.3
Temperature switches
Only the output portion of temperature switches can be generally tested on-line. Use the same procedure
as off-line tests for the output portion of the switch with provision for bypassing the input during the
testing.
7.3.5
Logic solvers
In general testing logic solvers while the process is in operation is not recommended. The logic solver is
typically the most reliable portion of a SIF and once the application program is fully validated by the
PSAT, there is no need to retest the logic solver unless changes have been made to the logic contained
in the logic solver. When changes are made to the logic, the logic solver should be retested prior to
placing the SIF back in operation.
Testing electromechanical based logic solvers on line would require extensive modifications to allow this
testing. These modifications could result in a system with less integrity than one without the provisions
for testing. It is therefore not considered a good practice to attempt testing electromechanical based logic
solvers while the process is on-line.
Where the SIF is functioning during a startup of the process, a test of SIF logic typically occurs each time
the process is started up. If more frequent test intervals than the normal process turnaround schedule is
required to achieve the SIL required, credit might be taken for unplanned startups due to downtime forced
by equipment or utility failures.
7.3.6
On-line testing of final control elements can be the most difficult testing associated with the SIF. Any test
of the valve on-line may result in process disruption if the test is not properly conducted. Valve tests can
consist of a full stroke using process bypasses or a partial stroke to a specific percentage of valve
movement. Any valve test should be evaluated to determine what failure modes are detected during the
test. Of particular significance with respect to partial stroking of valves is that the partial stroke does not
determine whether the valve will function to its full open or closed position. This can only be determined
by a full stroke test.
Some companies take credit for on-line valve tests when an unplanned trip of the system takes place.
They verify that all valves went to their correct position as required by the trip condition and that all
indications of valve position indicated this to be true. They then document what has occurred and count
this as a test of the valves affected. When taking such credit, consideration should be given to the
performance requirement of the operation of the valve (i.e. speed of response and shutoff performance).
The documentation should include the rationale for acceptance of the performance based on additional
in-line testing while the opportunity is available or noting that prior testing could lead one to believe the
performance is adequate until the next scheduled test.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

36
ISA-TR84.00.03-2002
-|
||| || | ||| || |
||||
Techniques have been devised to allow some measure of testing of final control elements, particularly
valves. These include use of manual block valves around the SIF valve for use while the testing is being
performed. A drawback of this approach is high capital cost and the chance of leaving them in the wrong
position after a test has been performed. Using this technique requires special attention to operation of
the manual valves before and during the test. Annex Z is an example of testing valves that have installed
manual block valves for testing. A valve lineup procedure has been developed by one company to follow
during testing involving manual block and bypass valves. The procedure follows:
|||| ||
||||
VALVE LINE-UP ACTIVITIES
|
||
|---
During the course of this test, the Technician Performing the Test will be instructed to
have an Operator close the upstream manual valve associated with this system. Since
the upstream manual block valve is Car Sealed, the Operator must first remove and
dispose of the Car Seal before closing this valve. Closing the manual block valve shall
be performed in accordance with all existing site procedures.
Upon completion of this test, the Technician Performing the Test shall inform the
Operator the upstream manual block valve may be opened. Opening of the manual block
valve shall be performed in accordance with all existing site procedures. The Operator
must install and lock a new Car Seal on the manual block valve and record the Car Seal
Number in the space provided at the end of this test.
Another technique involves testing only through the final solenoid valve on the final control element
actuator. This is common practice by many companies today and allows validation of elements of the SIF
except the movement of the final valve itself. In this type of testing, the air supply to the valve actuator
from the final solenoid is shutoff to prevent venting the actuator and operating the valve when the
solenoid is tripped. Since about half of the final control element failures probably involve the solenoid,
this technique can account for about half of the potential failures of the final control element package.
Some companies use redundant solenoids on each SIF valve to improve the availability or reliability of
the SIF. Dependent on the solenoid configuration, bypassing may be required to test each solenoid one
at a time and to verify that the solenoid has vented. When the test is complete, the technician should
verify that the solenoid has been returned to service. Simply testing that the solenoid coil has energized
or de-energized is not a complete test, since the solenoid must move to a specified vent state for correct
functioning. For example, a test of the solenoid coil will not detect that the vent port is plugged with
debris, preventing the venting of the air from the process valve. The following provides an example of a
test for dual solenoid which is implemented using a bypass valve on the air line and a defeat switch in the
logic.
a) Turn the bypass valve slowly to Bypass while watching the pressure gauge to ensure air pressure
remains unchanged.
b) The trip solenoids are now bypassed.
Check
( )
c) With the system in trip condition, temporarily place the defeat switch to OFF. Both solenoid valves
should trip.
Solenoid valves tripped.
d) Return all bypass valves to normal operating position.
Check
( )
Check
( )
Other techniques for testing solenoids but not the valve are shown in Annexes W and MM.
Another technique proposed and used by some companies involves doing a partial stroking of the final

37
ISA-TR84.00.03-2002
control element valve to verify movement at least begins when called for by the SIF. This movement
does not ensure that the valve will go to its full open or closed position when a real demand is placed on
the system but does give some indication that the valve will at least attempt to go to its tripped position.
Several examples of procedures for performing a partial stroking test of a SIF valve are shown in
Annexes DD, EE, HH, and LL.
The following guidelines have been suggested for on-line testing of valves:
SIL 1 SIF systems typically do not require any on-line testing.
At turnaround intervals of less than 3 years and a target SIL of 2, double block valves seldom need to
be partial stroke tested unless a dirty process increases the valve failure rate beyond the value
normally used in PFD calculations.
For SIL 3 applications, the testing frequency must be less than three years and on-line testing of
some type (i.e., partial stroke) must be performed. Fortunately, only about 10% or less of the
installations in the process industries are SIL 3. This means that for a small percentage of shutdown
systems or for turnaround periods greater than 3 years, some type of on-line testing of valves is
typically required.
Some cautions should be noted with regard to partial stroke testing of SIF valves. These include:
One user noted that a failure occurred in a process valve which had been partial stroke tested to a
specific mechanical stop position for years. The valve only moved 1/4 of its full stroke when actually
called upon to move to its full trip position.
If positive isolation, i.e. tight shutoff, is required, a partial stroke test does not test this capability.
Since a partial stroke test cannot detect all failure modes of the valve, full credit should not be given
for partial stroke testing. The following application limitations should be considered when evaluating
the use of partial stroke testing:
1) The service is clean. No dirt, polymerization products, deposition, crystallization, corrosive

chemicals, etc.
2) No documented history of a test that revealed valve failure due to process-related seat failure.
3) It must not be a tight shutoff application. This specification indicates that the valve seating is
extremely important, so the only valid test is a full seat test.
Partial stroke testing must consist of verification that the valve moved a set percentage of valve range. It
is not considered a valid test to only confirm open or closed limit switch contacts. Percent movement of
the valve should be confirmed using position indication, such as limit switches or positioners, or using
visual observation. To prevent buildup of ridges on the valve stem at the percent range for the test, it is
recommended that the percentage of travel periodically be changed.
Several companies now have a package, which allows assessment of the torque required to move the
certain valve types during the stroke. This does not verify tight shutoff capability, but does provide some
diagnostic coverage. A listing of some vendors providing these techniques is shown in Annex JJ.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
7.3.7
38
HMI
On-line testing of the HMI is not required unless changes have been made in the information presented to
the operator. Any changes that modify information to the operator about the status of the SIF should be
tested when they are made and verified as being appropriate.
7.3.8
Communications
Any changes made to communications from the SIF to any other system should be tested when the
changes are made. It is not recommended that changes be made while the SIF is providing protection to
the process as these change activities could result in nuisance trips of the SIF or result in program errors,
which could render the SIF incapable of performing its function.
7.4
Inspection (observation techniques that enhance SIF availability)
Almost as important as testing of the SIF is having a program in place that monitors the apparent
condition of components of the system and their capability to provide the performance required to meet
the safety requirements. An example of a condition that could limit the performance capability of a SIF
component would be corrosion buildup around the stem of a sliding stem valve used to isolate a process
stream when called upon by the SIF. The buildup, if not noticed and tended to, could prevent the valve
from stroking all the way or even at all when called upon to take action. Inspection activities, which
monitor such a condition and others, which might occur, can enhance the safety integrity of the SIF.
Considerations that should be a part of these inspection programs are discussed in clauses that follow.
7.4.1
General considerations
The physical condition of the components of a SIF should receive a thorough mechanical inspection on a
regular scheduled basis. This is especially true for field components exposed to environmental
conditions, changes, and things like corrosion, process spills, leaks, etc. This inspection should be
documented and any action that is found to be necessary initiated immediately or scheduled for the first
opportunity if that is satisfactory.
7.4.2
Responsible personnel
The process unit Operations Department should be responsible for scheduling the inspections. The
inspections should be scheduled to coincide with the scheduled functional test at a minimum. A schedule
of once each quarter or twice a year may be appropriate for processes where conditions tend toward
potential problems. In very serious environmental conditions the inspection might be necessary more
frequently.
Maintenance Craftspeople should be responsible for performing and documenting inspections.
Documentation records should be maintained for reference. These records may provide information
relative to MTTF values for components that are used for SIF evaluation calculations and might be useful
in relating process changes to problems which occur.
The maintenance and operations departments should be responsible for following up on the repair of any
deficiencies discovered during the inspection to ensure repairs are completed satisfactorily.
7.4.3
Evaluation criteria
Each component of a SIF should be in good condition with no visible physical defects, which could impact
the performance or reliability of the system.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

39
ISA-TR84.00.03-2002
The instrument craftsmen should complete a Safety Instrumented System Inspection Form during the
course of the system inspection. See Annex O for an example inspection form.
Examine all parts of the SIF for damage, deterioration, missing parts, or other physical damage. The
physical examination should include:
All input devices to the SIS such as transmitters, switches, thermocouples
All output devices such as solenoid valves, control valves, motor controllers
System wiring with particular attention to terminations, junction boxes, conduit
SIS logic system - electromechanical relays, PLC, TMR, etc.
If a defect is found during the inspection it should be corrected as soon as possible. If the defect cannot
be corrected immediately, a work order should be generated to repair the defect as soon as practical.
The nature of the defect should be described on the Safety Instrumented System Inspection Form.
The inspection should include, but not be limited to the following items.
Verify that all components of the SIF are properly tagged and labeled.
Visually inspect devices for excessive corrosion.
Visually inspect all components, including alarm lights, to insure proper working condition.
Visually inspect tubing, wiring connections, and wiring to insure proper working condition.
Inspect heat tracing if appropriate to ensure proper operation.
Verify that all instrument air supply regulators are at their proper settings, bug screens in place and
not plugged, etc.
Verify that boxes and housings have proper seals and covers and are secure.
Verify that all conduit and conduit access plates have proper seals and are secure.
Verify that tubing and cables are properly routed and secure.
7.4.4
Sensors
The following inspection criteria, at a minimum, apply to field sensors:
Are instruments tagged with a special tag identifying them as part of a SIF?
Are process connections in good condition with respect to leaks, insulation, corrosion, etc?
Are process root valves in correct position?
Is instrument properly supported?
Is required heat tracing and insulation in good condition?
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
40
Is conduit connection in good condition and covers in place?
Are drains, seals, and covers in place, if required, and in good condition?
Are process tubing lines properly supported?
Is conduit properly supported?
7.4.5
Logic solvers
Logic solver cabinets should be inspected for proper ventilation or cooling, buildup of dust or other foreign
material, proper closure hardware in good condition, absence of moisture, wiring and grounding
connections secure, cabinet security devices in good working order, and proper operation of any lights
that are meant to indicate a status condition of the logic solver itself. Some vendors of this equipment
have recommended routine maintenance schedules that may offer other items that should be checked.
7.4.6
Control valves should be inspected for the following conditions as a minimum:

Bug screens in place and not plugged up
Tubing condition for air supply, connections to positioner or topworks; connections tight with no leaks
Solenoids properly mounted with tubing and electrical connections in good condition
Valve piping gaskets not leaking
Valve stem not leaking
Topworks in good condition; no cracks, leaks at gaskets, etc.
No corrosion buildup around valve stem
Instrument pressure gauges in good condition
Any auxiliary equipment such as signal converters and positioners, in good condition
Any other conditions which might hinder proper operation of the valve
Appropriate tagging of valve is in place
--
|
||| || | ||| || |
||||
7.4.7
Switches
|||| ||
||||
Switches used as hardwired bypasses should be inspected for proper position, security measures in
place, and wiring connections secure.
|
||
|---
7.4.8
Wiring connections
Any critical wiring connections in junction boxes, scramble boxes, or other terminations should be
checked for proper tightness, labeling and mechanical protection. The use of wire nuts for making
connections in SIF is not recommended. Seals where required should be checked. Conduit covers
should be in place. Conduit drains should be in place and working properly. Cabinet doors should be
closed, water tight, and properly labeled.

41
7.5
ISA-TR84.00.03-2002
Testing documentation
7.5.1
SIF test procedures
A specific written test procedure should be available for each SIF included in the SIS. The procedures
should be of sufficient detail to allow personnel who are not intimately familiar with the SIF to perform the
appropriate testing. These should include:
List of safety function(s) included in the SIF
Equipment description and location for each safety function
Functional logic for each safety function
Inspection procedures to be followed
Calibration and testing methods to be followed
Frequency of calibration, testing, inspections, and maintenance activities
Specify acceptable performance limits ( 2% of full range if no limits specified)
Specify sequence of testing if required
Specify who should perform test
Specify state of process when test is performed
If SIF logic is mirrored in the BPCS, test should show that SIF actuated final control device.
Verification of operational state of SIF after test complete
Test of internal and external diagnostics (WDT, etc.)
Verify auxiliary service components are operational (fans, filters, batteries, UPS, etc.).
Define a means of ensuring testing is performed and documented.
All test procedures should have system being tested, page numbers, and revision date on each page of
procedure. The responsible person for maintaining each procedure should be identified in the procedure.
All drawings used to describe SIF should be referenced including P&IDs, loop drawings, logic sheets, etc.
7.5.2
Documentation of functional testing of SIF
Document the results of functional tests for all SIF components and systems.
Test documentation should include but not be limited to the following data:
Date of inspection and testing
Name (signature) of the person(s) performing the work
Tested equipment serial number or other unique identifier, such as loop number, tag number, or,
equipment number
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
42
Results of the inspection and test (as found and as left conditions)
Important: Confirm and document that alarm and/or shutdown trip devices and process actuators
operate within specified tolerances. This can be accomplished individually as a component test or as part
of the loop or system test.
Retain records of these functional tests and inspections in accordance with plant policy. It is
recommended that at least the two most frequent records of functional testing of the SIF be kept at the
plant site. If a regulating body such as OSHA requires records retention, the retention period in that
regulation should be followed.
7.5.3
Documentation of SIF component calibration
--
Document each calibration of a SIF component. Calibration documentation should include the following
data:
|
||| || | ||| || |
Date of inspection and calibration
Name of the person performing calibration
Calibrated equipment serial number or other unique identifier, such as loop number, tag number, or
equipment number
Before and after results of the calibration; i.e., As Found and As Left condition
Test equipment (by manufacturer and model/serial number) used for the calibration
||||
|||| ||
||||
|
||
|---
Calibration records should be maintained to confirm that this work was completed and to build a historical
database of SIF component performance.
NOTE These records become the basis for adjustment to the calibration interval specified for each safety system component. The
frequency(s) of testing and calibration of the SIF or portions of the SIF is re-evaluated at a periodic interval set by the site. The reevaluation frequency is based on historical data, plant experience, hardware degradation, software reliability, etc.
7.5.4
Off-line tests
A good example of a test documentation form for off-line testing documentation is shown in Annex AA.
7.5.5
On-line tests
The same forms used to document off-line testing can be used to document on-line testing with the
proper notations provided. Special forms may be developed if the user desires.
7.5.6
How test results are analysed
The results of the calibration and testing should be reported to the site engineer responsible for the SIF
for review and approval. If necessary, the site engineer will consult with the site safety and environmental
personnel for his/her review and recommendation with regard to the impact on the safety and/or
environmental issue(s).
Inspections
An example of a form for documenting results of an inspection program is shown in Annex O.

43
ISA-TR84.00.03-2002
Auditing
Audits should be performed to verify that the procedures related to SIF and, in particular, those outlined in
the SIF testing document remain in force throughout the life of the SIF. Records of audits and their
results should be documented and maintained in plant records. Two types of documents that might
accomplish this audit may be found in Annex FF and GG.
10 References
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
This document was compiled from input provided by operating companies, manufacturing companies,
consultants, and individual engineers who have experience in the application, design, installation,
operation, and maintenance of SIF. The best practices and procedures of these companies and
individuals were combined and edited to allow use without disclosing any proprietary information from any
one company or individual.

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

45
ISA-TR84.00.03-2002
NOTE This procedure was developed by an operating company for a specific application. It has been modified to remove any
reference that might tie it to a specific company. This procedure should only be used as an example of how a user might develop a
procedure specific to their SIS application. Any references to specific brands of instrumentation in the procedure are to clarify the
intent of the procedure only and are in no respect meant to suggest these brands are acceptable or preferred for the users specific
application. The instrument identification numbers used in the procedures are for clarification purposes only and should in no way
be taken as indicative of a particular companys instruments on a particular process.
CAUTION PRIOR TO APPLYING THE INFORMATION IN THIS ANNEX TO DEVELOP A PROCESS

SPECIFIC PROCEDURE, THE USER SHOULD REVIEW AND UNDERSTAND THE GUIDANCE IN THE
BODY OF ISA-TR84.00.03-2002.
Annex A Model procedure for approval required for replacing individual

components in SIF
Scenario:
A SIF instrument or valve needs to be replaced.
The following guidance should be followed in replacing the SIS component:

1. An instrument or valve with the exact model number of the failed SIF component is available from
plant stores or a commercial supplier.
Instrument Craft Person can make this decision.
2. An instrument or valve with the exact model number of the failed SIF component is not available from
stores or commercial supplier.
CASE 1:
A list of equivalent instruments or valves has been prepared and approved for look-up use at plant
site.
Instrument Craft Person selects component from the list.
CASE 2:
1. Functional and physical specifications for the SIF component to be replaced are available in the
SIF documentation.
2. A substitute component with specifications that are equal to or exceed those of the failed
component is identified. Equivalent functional performance of the available substitute instrument
or valve is certain.
Maintenance Technical Staff approves substitute.
CASE 3:
1. Functional and/or physical specifications for the SIF component to be replaced are INCOMPLETE
in the SIF documentation, or
2. The substitute instrument or valve available requires a change of
piping or process equipment;
measurement technology; and/or
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

46
ISA-TR84.00.03-2002
functional performance of the SIF.
Engineering personnel with responsibility for SIF integrity of this process approves substitute.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

47
ISA-TR84.00.03-2002
-|
||| || | ||| || |
||||
|||| ||

BODY OF ISA-TR84.00.03-2002.
||||
Annex B Model procedure for deferring scheduled testing of SIF
|
||
|---
Decision to defer
The scheduled test of a SIF may be deferred provided certain guidelines are followed. The following
guideline will insure all proposed deferrals are properly reviewed and approved prior to granting a
deferral. Note that the personnel titles used may be different from location to location. The intent is to
reflect approval positions and not exact titles.
Deferral request
Deferral request shall be transmitted from Operations to the Instrument Specialist prior to the scheduled
time to test a SIF. The timing shall allow ample time for the Instrument Specialist to conduct a fact based
deferral analysis.
Reason for the request
There are several potential reasons for deferring the test of a SIF.
A turnaround is scheduled shortly after the scheduled test and the risk of off-line testing is lower
than on-line testing. Also, the off-line test may enable the final control element to be tested
whereas an on-line test may not allow the final control element to be tested.
1. The process equipment that the system is safeguarding is out of service. The agreement in this case
is that the SIF will be tested prior to the process equipment being activated.
Deferral length
Suggested maximum length of time for a deferral should not exceed one quarter. If additional time is
needed for a deferral after one quarter, it is suggested the deferral analysis be revisited along with
approvals.
Deferral analysis
A deferral analysis should be conducted prior to granting a deferral. This analysis should include prior
test results. A record of successful tests of the SIF should be the minimum acceptable criteria for
deferring a test. The Instrument Specialist should participate in this deferral analysis and his/her
concurrence should be required prior to forwarding to the approving authorities noted below.
Approvals required for a deferral
SIL I and SIL II systems:
Operating and Technical Area Superintendent.
Procedure No.
Revision Date
Page _ of _

48
ISA-TR84.00.03-2002
SIL III systems:
Site Operations Manager and Control Systems Manager
Communication of deferral
The following should be made aware of any approved deferrals.
Site Operations Manager
Operating Area Superintendent
Technical Manager Control Systems
Technical Superintendent
Engineering/Maintenance Manager
Instrument Specialist
Control Systems Engineer
--
||| || | ||| || |
||||
|||| ||
||||
All deferrals should be documented with each of the items above captured.
||
|---
Documentation of deferral
Procedure No.
Revision Date
Page _ of _

49
ISA-TR84.00.03-2002
-|
||| || | ||| || |
||||
|||| ||

BODY OF ISA-TR84.00.03-2002.
||||
|
Annex C Model procedure for testing turbine thrust position monitors
||
|---
PROBE V-1234
1. Put VT-1234 in the defeat position.
Red defeat light on the face of VT-1234A should be on - verify.
2. Check calibration of VT-1234. Record findings below, make no adjustments until initial checks are
made.
Procedure No.
Revision Date
Page _ of _

50
ISA-TR84.00.03-2002
Table C.1 Turbine thrust p osition

Calibrate 0 30 mils. Active.
ANY FAILURES? _________
VT-1234
ORIGINAL CALIBRATION
GAP
TEST PT
VOLTS
VOLTS
FAILURE
LIMITS
FINAL CALIBRATION
MONITOR
INDICATION
SWITCH
TEST PT
MONITOR
SWITCH
SETTING
VOLTS
INDICATOR
SETTING
TEST PT.
ACTIVE
+40 MIL.
ACTIVE
+3O MIL.
8.4 TO 9.1 V
DANGER
VSHH-1234
27 to 33 mils
ACTIVE +30
ALERT
VSH-1234
ACTIVE +20
0 MIL.
4.6 to 5.4 V
ALERT
VSH-1234
INACTIVE 25
DANGER
VSHH-1234
-27to -33mils
INACTIVE 30
INACTIVE
-30 MIL.
0.9 to 1.6 V
INACTIVE
-40 MIL.
3. Using wobulator pass VT-1234 through its alarm point in the active direction. Do not pass VT-1234
through its trip point at this time.
a. Red danger light on VT-1234A should be off - verify.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

51
ISA-TR84.00.03-2002
b. PI-4321 - located on S/D box should read 20# - verify.

c.
PI-4331 - located on S/D box should read 20# - verify.
d. VAHH-5001-3 located on local panel and UJR-6001 should be clear - verify

e. Alert light on VT-2345 should come on - verify.
f.
VAH/TAH 5001-1 located on local panel should come on - verify.
-|
||| || | ||| || |
g. XA-7000 - the common trouble alarm in the control room should come on - verify.
h. VAH/TAH 5001-1 alarm on sequence of events recorder (UJR-6001) should print out.
||||
|||| ||
i.
Acknowledge XA-7000.
4. Using wobulator (TK-3) pass VT-1234 through its trip point in the active direction.
||||
|
||
a. Red danger light on VT-1234A should come on - verify.
|---
b. PI-4321 - located on S/D box should go to zero - verify.

c.
PI-4331 - located on S/D box should go to zero - verify.
d. XA-7000 - the common trouble alarm in the control room should reflash - verify.
e. VAHH-5001-3 located on local panel should come on - verify.
f.
VAHH-5001-3 on sequence of events recorder (UJR-6001) should print out as being in the trip
condition - verify.
g. Alert light on VT-1234A should remain on - verify.

h. VAH/TAH 5001-1 located on local panel should remain on - verify.
5. Using wobulator adjust VT-1234 below its trip point and not below its alarm point, reset monitor.
a. Red danger light on VT-1234A should go off - verify.
b. VAHH-5001-3 should clear - verify.
c.
VAHH-5001-3 on sequence of events recorder (UJR-6001) should print out as being normal verify.
d. Alert light on VT-1234A should remain on - verify.

e. VAH/TAH 5001-1 located on local panel should remain on - verify.
f.
XA-7000 - the common trouble alarm in the control room should remain on - verify.
6. Using XV-5050A reset system.

a. PI-4321 - located on S/D box should read 20 psig.
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
52
b. PI-4331 - located on S/D box should read 20 psig.

7. Using wobulator (TK-3) adjust VT-1234 below its alarm point.
a. Alert light on VT-1234A should go off verify.
b. VAH/TAH 5001-1 located on local panel should clear - verify.
c.
XA-7000 - the common trouble alarm in the control room should clear - verify.
h. VAHH-5001-3 located on local panel and UJR-6001 should remain clear verify.
||||
--
8. Using wobulator (TK-3) pass VT-1234 through its alarm point in the inactive direction. Do not pass
VT-1234 through its trip point at this time.
|||| ||
g. PI-4331 - located on S/D box should read 20# - verify.
||||
||| || | ||| || |
f.
||
e. Red danger light on VT-1234A should remain off - verify.
|---
d. VAH/TAH 5001-1 alarm on sequence of events recorder (UJR-6001) should print out as being
normal verify.
a. Red danger light on VT-1234A should be off - verify.

b. PI-4321 - located on S/D box should read 20# - verify.
c.
d. VAHH-5001-3 located on local panel and UJR-6001 should be clear verify.

e. Alert light on VT-1234A should come on - verify.
f.
VAH/TAH 5001-1 located on local panel should come on - verify.
g. XA-7000 - the common trouble alarm in the control room should come on - verify.
h. VAH/TAH 5001-1 alarm on sequence of events recorder (UJR-6001) should print out.
i.
Acknowledge XA-7000.
9. Using wobulator pass VT-1234 through its trip point in the inactive direction.
a. Red danger light on VT-1234A should come on - verify.
b. PI-4321 - located on S/D box should go to zero - verify.
c.
PI-4331 - located on S/D box should go to zero - verify.
d. XA-7000 - the common trouble alarm in the control room should reflash - verify.
e. VAHH-5001-3 located on local panel should come on - verify.
Procedure No.
Revision Date
Page _ of _

53
f.
ISA-TR84.00.03-2002
VAHH-5001-3 on sequence of events recorder (UJR-6001) should print out as being in the trip
condition - verify.
-|
g. Alert light on VT-1234A should remain on - verify.
||| || | ||| || |
h. VAH/TAH 5001-1 located on local panel should remain on - verify.
||||
10. Using wobulator adjust VT-1234 below its trip point and not below its alarm point, reset monitor.
|||| ||
a. Red danger light on VT-1234A should go off - verify.
||||
|
||
b. VAHH-5001-3 should clear - verify.
|---
c.
d. Alert light on VT-1234A should remain on - verify.

e. MAH/TAH 5001-1 located on local panel should remain on - verify.
f.
XA-7000 - the common trouble alarm in the control room should remain on - verify.

12. Using wobulator (TK-3) adjust VT-1234 below its alarm point.
a. Alert light on VT-1234A should go off - verify.
c.
XA-7000 - the common trouble alarm in the control room should clear - verify.
d. VAH/TAH 5001-1 alarm on sequence of events recorder (UJR-6001) should print out as being
normal verify.
e. Red danger light on VT-1234A should remain off - verify.
f.
g. PI-4331 - located on S/D box should read 20# - verify.

h. VAHH-5001-3 located on local panel and UJR-6001 should remain clear verify.
13. Put HS-5001 (bypass switch for the PGC thrust & vibration S/D) in the bypass position.
14. Using wobulator pass VT-1234 through its trip point in the inactive direction.
a. VAHH-5001-3 located on local panel should come on - verify.
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
54
b. VAHH-5001-3 on sequence of events recorder (UJR-6001) should print out as being in the trip
condition - verify.
c.
Red danger light on VT-1234A should come on - verify.
d. VY-5001 should not energize and the S/D box should not trip.
e. PI-4321 - located on S/D box should read 20 psig.
f.
PI-4331 - located on S/D box should read 20 psig.
15. Using wobulator adjust VT-1234 back to a normal operating range and reset monitor.
--
a. VAHH-5001-3 should clear.
|
||| || | ||| || |
b. Red danger light on monitor should go off.

c.
||||
|||| ||
16. Put HS-5001 (bypass switch for the PGC thrust & vibration S/D) back in the normal position.
||||
|
||
17. Using wobulator (TK-3) pass VT-1234 through its trip point in the inactive direction again.
|---
a. VAHH-5001-3 located on local panel should come on - verify.

b. VAHH-5001-3 on sequence of events recorder (UJR-6001) should print out as being in the trip
condition - verify.
c.
Red danger light on VT-1234A should come on - verify.
d. VY-5001 should energize and the S/D box should trip.

e. PI-4321 - located on S/D box should read 0 psig.
f.
PI-4331 - located on S/D box should read 0 psig.
18. Put VT-1234 back in service and reset it.

a. Alert light on VT-1234A should be off verify.
c.
VAH/TAH 5001-1 alarm on sequence of events recorder (UJR-6001) should print out as being
normal verify.
d. Red danger light on VT-1234 A should be off.

e. VAHH-5001-3 should clear.
f.
g. XA-7000 the common trouble alarm in the control room should clear verify.
Procedure No.
Revision Date
Page _ of _

55
ISA-TR84.00.03-2002
19. Put defeat switch for VT-1234 A&B back to its neutral position.
a. Red defeat light for VT-1234 A&B should be off - verify.
When test is complete, sign and date below.
SIGNATURE
DATE
DATE: _______________
CRAFTSMAN: _____________________________
DATE: _______________
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
OPERATOR:_______________________________
Procedure No.
Revision Date
Page _ of _

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

57
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex D-1 Model procedure for electronic over-speed trip testing

1. Isolate PI-4501A and PI-4501B.
CAUTION DO NOT ATTEMPT TO LOOSEN OR REMOVE PI-4501A OR PI-4501B UNTIL THE
FOLLOWING STEP HAS BEEN COMPLETED.
2. Have operator close block valves up-stream and down-stream of SV-4501.
CAUTION BE SURE VALVES UP-STREAM AND DOWN-STREAM OF SV-4501 ARE
COMPLETELY CLOSED BEFORE PROCEEDING!
--
3. Check the calibration of the following pressure gauges.
|
||| || | ||| || |
PI-4501A
BEFORE
AFTER
||||
|||| ||
||||
FAILURE LIMITS
GAUGE
GAUGE
Failed?
INPUT
OUTPUT
OUTPUT
OUTPUT
(Mark
with )
BEFORE
AFTER
GAUGE
||
|---
0%
0 PSIG
0# TO 10#
50%
100 PSIG
90# TO 110#
100%
200 PSIG
180#TO 220#
PI-4501B
GAUGE
FAILURE LIMITS
GAUGE
GAUGE
Failed?
INPUT
OUTPUT
OUTPUT
OUTPUT
(Mark
with )
0%
0 PSIG
0# TO 10#
50%
100 PSIG
90# TO 110#
100%
200 PSIG
180#TO 220#
4. Put PI-4501A and PI-4501B back in service. SV-4501 must remain isolated.
5. Have operator slowly open block valve up stream of SV-4501.
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
58
a. PI-4501A should read Governor oil pressure.

b. PI-4501B should read 0 PSIG.
6. Have Operator close block valve up-stream of SV-4501 on compressor turbine.
CAUTION BE SURE VALVES UP-STREAM AND DOWN-STREAM OF SV-4501 ARE
COMPLETELY CLOSED BEFORE PROCEEDING!
7. Turn power to speed switch OFF.
a. XA-4501, power failure or low speed alarm should come on - verify.
-|
||| || | ||| || |
b. SV-4501 should not energize, PI-4501A should still be reading Governor oil pressure and PI4501B should be reading about zero - verify.
c.
SAH-4501 on local annunciator panel should remain clear - verify.
||||
|||| ||
d. SAH-4501 on sequence of events recorder (UJR-6001) should remain clear.
||||
e. SAHH-4501 on local annunciator panel should remain clear - verify.
|
||
|---
f.
SAHH-4501 on sequence of events recorder (UJR-6001) should remain clear.
8. Connect frequency generator to SSH/SSHH-4501 and apply an input signal above the low speed
setting for XA-4501 and NOT above the setting of SSH-4501.
NOTE Use only, Dynalco Model F-15 frequency generator. Noisy signals present in other frequency generators may cause SAH4501 and SAHH-4501 to come on at the same time.
9. Turn power to speed switch ON.

a. XA-4501, power failure or low speed alarm should clear - verify.
c.

f.
10. Lower frequency below the setting of XA-4501.

a. XA-4501, power failure or low speed alarm should come on - verify.
c.
Procedure No.
Revision Date
Page _ of _

59
ISA-TR84.00.03-2002

f.

RECORD FINDINGS BELOW
INST. NO.
PROCESS
SETTING
DEVICE SETTING
FAILURE
LIMITS
BEFORE
FINAL
Failed?
(Mark with )
HERTZ
XA-4501
3600 RPM
DEC.
6000 HERTZ
DEC.
5400 TO
6600 HERTZ
11. Raise input frequency above the low speed setting for XA-4501 and NOT above the setting of SSH4501.
a. XA-4501, power failure or low speed alarm should clear - verify.
c.

-|
f.
||| || | ||| || |
12. Raise frequency above the setting of SSH-4501 and not above the setting of SSHH-4501.
||||
a. SAH-4501 on local annunciator panel should come on - verify.
|||| ||
b. SAH-4501 on sequence of events recorder (UJR-6001) should print.
||||
|
c.
XA-4501 power failure or low speed alarm should remain clear - verify.
||
|---
d. SAHH-4501 on local annunciator panel should remain clear - verify.

e. SAHH-4501 on sequence of events recorder (UJR-6001) should remain clear.
f.
SV-4501 should not energize, PI-4501A should still be reading Governor oil pressure and PI4501B should be reading about zero - verify.
Procedure No.
Revision Date
Page _ of _

60
ISA-TR84.00.03-2002

INST. NO.
PROCESS
SETTING
DEVICE SETTING
FAILURE
LIMITS
BEFORE
FINAL
Failed?
(Mark with )
HERTZ
SSH-4501
5474 RPM
INC.
9123 HERTZ
INC.
8667 TO
9579 HERTZ
13. Raise the frequency above the setting of SSHH-4501.

a. SAH-4501 on local annunciator panel should remain on - verify.
b. SAH-4501 on sequence of events recorder (UJR-6001) should not change.
c.
XA-4501 power failure or low speed alarm should remain clear - verify.
d. SAHH-4501 on local annunciator panel should come on - verify.

e. SAHH-4501 on sequence of events recorder (UJR-6001) should print.
f.
SV-4501 should energize and the pressure should equalize across it. PI-4501A and PI-4501B
should now be reading the same pressure somewhere below the Governor Oil Pressure
INST. NO.
PROCESS
SETTING
DEVICE SETTING
FAILURE
LIMITS
BEFORE
FINAL
(Mark with
)
HERTZ
SSHH-4501
5940 RPM
INC.
9900 HERTZ
INC.
Failed?
9405 TO
10395 HERTZ
14. Put SSH-4501 and SSHH-4501 back in service.

a. XA-4501 power failure or low speed alarm should remain clear - verify.
b. SAH-4501 should clear - verify.
c.
SAH-4501 on sequence of events recorder (UJR-6001) should print out clear - verify.
d. SAHH-4501 should clear - verify.

e. SAHH-4501 on sequence of events recorder (UJR-6001) should print out clear - verify.
f.
SV-4501 should de-energize - verify.
15. Have Operator line SV-4501 back up using the following procedure.
a. SLOWLY open block valve up-stream of SV-4501 first. PI-4501A should start coming up. If PI4501B starts coming up STOP because SV-4501 is leaking through.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

61
ISA-TR84.00.03-2002
NOTE 1 If SV-4501 leaks through have operator close block valve UP STREAM of SV-4501. Slowly open block valve
DOWN STREAM of SV-4501 to bleed pressure and allow SV-4501 TO SEAT, PI-4501B SHOULD GO TO 0 PSIG.
NOTE 2
Have operator close block valve DOWN STREAM of SV-4501 and repeat step 10.
Once it is determined that SV-4501 is not leaking through and the block valve is completely
opened proceed to step b.
b) SLOWLY open block valve down-stream of SV-4501. PI-4501B should drop to near zero without
affecting PI-4501A.
When section is complete, sign and date below.

SIGNATURE
DATE
DATE: _______________
CRAFTSMAN: ________________________________________
DATE: _______________
--
OPERATOR:___________________________________________
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

63
ISA-TR84.00.03-2002
Equipment number:
100PT (TriSen) and Turbine Mechanical Overspeed Trip
Test objective:
When the main steam turbine speed reaches 4800 rpm, the
TriSen turbine governor will interlock down the turbine by deenergizing the turbine trip solenoid. In addition, if the TriSen
interlock fails to operate, the mechanical overspeed assembly in
the turbine will engage and shutdown the turbine at 5200 rpm.
Test frequency:
12-24 months during process shutdown
Process trip setting:
4800 100 rpm for the TriSen interlock
|||| ||
Turbine Overspeed
5200 100 rpm for the turbine overspeed

Type test:
Test by overspeeding turbine
Equipment required for test:
Handheld tachometer
Pre-test conditions:
Process shutdown with turbine uncoupled from blower. Steam

available to turbine from package boiler.
Procedure No.
Revision Date
Page _ of _

--
||| || | ||| || |
||||
Event:
||||
||
Annex D-2 Model procedure for testing turbine overspeed trip
|---

BODY OF ISA-TR84.00.03-2002.
64
ISA-TR84.00.03-2002
Interlock test procedure

TriSen hi-hi speed
_____1.
Notify the control room operator that a hi-hi turbine speed interlock test will be taking place.
_____2.
Ensure that the turbine is uncoupled from the blower.
_____3.
Valve in the package boiler steam to the turbine.
_____4.
Bypass both Eye-Hi interlocks by rotating the bypass switch on each unit. This will allow the
turbine solenoid to be energized without water in the steam drum.
_____5.
Enable local control of the turbine by rotating the governor bypass switch to the manual
position. This switch is located in the enclosure beside the turbine.
_____6.
Adjust the manual speed control valve that measures the air being applied to the turbine
steam actuator. 15 psig of air pressure corresponds to minimum turbine speed, and 3 psig of
air pressure corresponds to maximum turbine speed.
_____7.
Reset the turbine trip solenoid by pressing the START button on the TriSen.
_____8.
Raise the trip flag on the turbine into the normal position.
_____9.
Begin raising the speed of the turbine by slowly adjusting the air pressure with manual speed
control valve.
____10.
Monitor the speed indicator mounted by the turbine and the reading on the TriSen in the
control room. In addition, monitor the turbine speed with the handheld tachometer.
____11.
Slowly increase the turbine speed as it approaches 4800 rpm to better observe the speed
indicators when the interlock trips the turbine solenoid.
____12.
When the turbine solenoid trips, observe and document the resulting trip point (as found
condition).
____13.
Adjust the manual speed control valve to the minimum position.
____14.
The initial interlock test passed / failed. (circle one)
____15.
If the interlock test failed, what corrective action was required?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

65
ISA-TR84.00.03-2002
_____5.
Enable local control of the turbine by rotating the governor bypass switch to the manual
position. This switch is located in the enclosure beside the turbine.
_____6.
Raise the TriSen hi-hi speed interlock setting to 5500 rpm (refer to the TriSen Users manual
for instructions).
_____7.
Adjust the manual speed control valve that measures the air being applied to the turbine
steam actuator. 15 psig of air pressure corresponds to minimum turbine speed, and 3 psig of
air pressure corresponds to maximum turbine speed.
_____8.
Reset the turbine trip solenoid by pressing the START button on the TriSen.
_____9.
Raise the trip flag on the turbine into the normal position.
____10.
Begin raising the speed of the turbine by slowly adjusting the air pressure with manual speed
control valve.
____11.
Monitor the speed indicator mounted by the turbine and the reading on the TriSen in the
control room. In addition, monitor the turbine speed with the handheld tachometer.
____12.
Slowly increase the turbine speed as it approaches 5200 rpm to better observe the speed
indicators when the mechanical overspeed trips down the turbine.
____13.
When the turbine overspeed assembly engages, observe and document the resulting trip
point (as found condition).
____14.
Repeat the overspeed test two more times for a total of three tests. Observe and document
the resulting trip points (as found condition).
____15.
Adjust the manual speed control valve to the minimum speed position.
____16.
Turn off the #1 and #2 Eye-Hi Interlock Bypass.
____17.
Return the TriSen hi-hi speed interlock setting to 4800 rpm (refer to the TriSen Users manual
for instructions).
____18.
Enable TriSen control of the turbine by rotating the governor bypass switch to the TriSen
Governor position.
____19.
The initial interlock test passed / failed. (circle one)
____20.
If the interlock test failed, what corrective action was required?
____________________________________________________________________________________
____________________________________________________________________________________
___________________________________________________________________________________
Procedure No.
Revision Date
Page _ of _

||
Bypass both Eye-Hi interlocks by rotating the bypass switch on each unit. This will allow the
turbine solenoid to be energized without water in the steam drum.
_____4.
||||
Valve in the package boiler steam to the turbine.
|||| ||
_____3.
||||
Ensure that the turbine is uncoupled from the blower.
||| || | ||| || |
_____2.
Notify the control room operator that a turbine mechanical overspeed test will be taking place.
--
_____1.
|---
Turbine mechanical overspeed
ISA-TR84.00.03-2002
66
Post-test inspection and documentation

_____1.
The interlock equipment has been returned to normal and is ready for service.
_____2.
Record as found condition results here:
____________________________________________________________________________________
____________________________________________________________________________________
___________________________________________________________________________________
Test and inspection completed by:
Date:_________________
____________________________________
_________________
____________________________________
_________________
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
Name:____________________________________
Procedure No.
Revision Date
Page _ of _

67
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex E Model procedure for testing permissive start for turning gear motor
1. Have an electrician pull the T leads on the turning gear motor starter.
2. Check the setting of PSH-1234, log findings below.
INST. NO.
SWITCH SETTING
PROCESS
FAILURE
LIMITS
AS FOUND
AS LEFT
FAILED?
(MARK WITH
)
PSH-1234
xx PSIG
y TO
DEC.
yy PSIG DEC.
a. The motor starter should pull in - verify.
||||
|
5. Lower the signal on PSH-1234 below its trip point
||| || | ||| || |
||||
4. Turn the hand switch for the turning gear motor to the RUN position.
|||| ||
b. XA-2345 common trouble alarm in control room should be clear.
||
a. PAH-1234 permissive start turning gear alarm, on local panel should be clear.
|---
3. Put a signal on PSH-1234 that is above its trip point.
--
a. The motor starter should drop out - verify.

b. PAH-1234 permissive start turning gear alarm, on local panel should go on
c.
XA-2345 common trouble alarm in control room should go on.
6. Put PSL-1234 back in service.

a. PAH-1234 permissive start turning gear alarm, on local panel should clear.
b. XA-2345 common trouble alarm in control room should clear.
7. Return the hand switch for the turning gear motor to the OFF position.
8. Have electrician replace T leads and put motor starter back in service.
Procedure No.
Revision Date
Page _ of _

68
ISA-TR84.00.03-2002
When section is complete, sign and date below.
SIGNATURE
DATE
OPERATOR:_______________________________
DATE: _______________
CRAFTSMAN: ____________________________
DATE: _______________
-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

69
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex F Model procedure for lube oil pumps autostart test

NOTE Operations and maintenance personnel involved should review and understand this procedure prior to start of
checks. Coordination and communication between operations and maintenance is critical.
This procedure will require two operators and two instrument craft-persons. One operator will man the
hand switch for P-1234 and the other will man the local control panel on K-2345 compressor deck. The
instrument craft-persons should have the necessary test equipment and fittings for field testing on hand
prior to start of tests.
Each time P-1234 starts or stops it will cause a swing in LIC-4321, third stage seal oil pot level controller.
The operator at the local control panel for K-2345 must understand and implement the necessary action
to prevent a low seal oil pot level trip.
This procedure will call for the hand switch for P-1234 to be placed in the off position while connecting
test equipment and checking switch settings, this will prevent unnecessary pump starts and level swings.
PSL-1234A LOW LUBE OIL PRESSURE AUX. PUMP START AND ALARM SWITCH.
1. Have operator place hand switch for P-1234 in the off position.
2. Isolate PSL-1234A and connect calibrated pressure source to it.
3. Check the setting of PSL-1234A, log results below.
INST. NO.
SWITCH SETTING
FAILURE
LIMITS
PROCESS
AS FOUND
AS LEFT
FAILED?
(MARK
WITH )
PSL-1234A
xx PSIG DEC.
yy TO
yyy PSIG
4. Raise the input to PSL-1234A above its setting.

5. Have operator return the hand switch for P-1234 to the auto position.
6. Have operator place LIC-4321, third case seal oil pot level controller in manual.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
70
CAUTION THE OPERATOR AT THE LOCAL CONTROL PANEL FOR K-2345 MUST CLOSELY
MONITOR LIC-4321. IN THE NEXT STEP P-1234 WILL START, CAUSING L-4321, THIRD CASE
SEAL OIL POT LEVEL TO RISE RAPIDLY. K-2345 WILL NOT TRIP ON A HIGH SEAL OIL POT
LEVEL. A LOW SEAL OIL POT LEVEL WILL CAUSE K-2345 TO TRIP. DO NOT OVER CORRECT
FOR A HIGH LEVEL, THIS COULD RESULT IN A LOW-LEVEL TRIP.
7. Slowly lower the input to PSL-1234A below its setting.
a. P-1234 should start.
CAUTION DO NOT STOP P-1234 AT THIS TIME, P-1234 SHOULD NOT BE STOPPED UNTIL PSL1234A IS BACK IN SERVICE AND THE OPERATOR IS NOTIFIED.
b. PAL-1234A on local panel should come on.
c.
XA-3456 common trouble alarm in control room should come on.
d. PAL-1234A should print on alarm printer.

8. Put PSL-1234A back in service.
a. PAL-1234A on local panel should clear.
b. XA-3456 common trouble alarm in control room should clear.
c.
PAL-1234A should print out as being normal
9. Notify operator that PSL-1234A is back in service.

CAUTION THE OPERATOR AT THE LOCAL CONTROL PANEL FOR K-2345 MUST CLOSELY
MONITOR LIC-4321. IN THE NEXT STEP P-3428 WILL STOP, CAUSING L-4321,THIRD CASE SEAL
OIL POT LEVEL TO DROP RAPIDLY. K-2345 WILL NOT TRIP ON A HIGH SEAL OIL POT LEVEL. A
LOW SEAL OIL POT LEVEL WILL CAUSE K-2345 TO TRIP. THE OPERATOR SHOULD TAKE
STEPS TO PREVENT THE THIRD CASE SEAL OIL POT LEVEL FROM DROPPING BELOW ITS TRIP
POINT.
10. Have operator place the hand switch for P-3428 in the off position.
a. P-3428 should stop.
11. Have operator place the hand switch for P-3428 in the auto position.
a. P-3428 should remain off.
12. Have operator place LIC-4321, third case seal oil pot level controller back in auto.
When test is complete, sign and date below.
SIGNATURE
DATE
OPERATOR:_______________________________
DATE: _______________
CRAFTSMAN: ____________________________
DATE: _______________
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

71
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex G Model procedure for testing first-out sequence alarms

NOTE
The following steps are to verify the First-Out annunciator sequence for the SIS alarms.
LTH-2345 on local annunciator panel (if applicable) should flash normally.
LTH-1234 on local annunciator panel should flash rapidly

Press the acknowledge button for the annunciator panel.
LTH-2345 should remain on steady.
LTH-1234 should remain flashing,
Repeat procedure actuating LTH 2345 alarm first and verify proper first out indication.
Procedure No.
Revision Date
Page _ of _

||
--
LTH-2345 on operator console in the control room should be in alarm condition.
||| || | ||| || |
||||
Pass LSH-2345 through its alarm point using calibrated current source.
|||| ||
LTH-1234 on operator console in the control room should be in alarm condition.
||||
LTH-1234 on local annunciator panel (if applicable) should flash normally.
|---
Drive LSH-1234 through its alarm point using calibrated current source.
|--||
--
||| || | ||| || |
||||
|||| ||
||||

73
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex H Model procedure for functional testing of TMR-based SIS

instrumentation
NOTE
This procedure addresses a SIS with multiple SIF.
H.1 Purpose
The purpose of this annex is to provide a model for site development of administrative controls and
procedures to ensure that the integrity of all TMR-based SIS instrumentation is maintained through
functional testing following (1) changes and repairs and (2) on a routine basis through periodic SIS
system testing.
H.2 Management of change restrictions

H.2.1 Approval - The Operations Department Manager pre-approves the SIS configuration station
connection to the TMR logic solver whenever the associated process unit is not totally shutdown.
H.2.2
Qualifications - Only TMR qualified personnel perform SIS testing work.
H.2.3
Written test procedure
A written, step-by-step functional test procedure is required prior to approval of work on the TMR LOGIC
SOLVER whenever;
1. The associated process unit is not totally shutdown, and
2. Forcing of inputs and outputs is used as part of the functional test work.
--
H.2.4
Re-enabling ESD points
|
||| || | ||| || |
||||
All active SIS points must be re-enabled after completion of commissioning work. Enabled I/O must be
checked against a master list at the completion of functional testing; and this check must be documented
as evidence of responsible management of change. This documentation should be filed with plant SIS
records.
|||| ||
H.3 Procedure
||||
|
||
H.3.1
|---
H.3.1.1
Functional testing of SIS system following field changes and repairs

Reference documents
Obtain the SIS reference documents and testing procedures that document the part of the SIS system
that is affected by the repair or field change. This documentation typically includes:
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
74
1. Loop Diagram
2. SIS Logic Diagram
3. TMR Ladder Listing and Dictionary with Cross Reference
4. SIS Schematics, if applicable
H.3.1.2
Procedures
The procedure used when making changes to the TMR Logic Solver software should follow company
guidelines or practices.
--
H.3.1.3
Comparison with master
|
||| || | ||| || |
||||
The installed, modified TMR Logic Solver SIS Logic program is compared to the MASTER Program,
[<Filename>.UPL] using the Upload-and-Compare Utility function of the TMR configuration station if
available. If no program changes are identified EXCEPT FOR THOSE PLANNED MODIFICATIONS, an
input-output functional check of the existing and unchanged SIS Logic is not required at this time.
|||| ||
H.3.1.4
Program compare listing
||||
|
||
|---
Printout the Program Compare Listing and file it with the documentation of the sensor and process
actuator functional checks.
H.3.1.5
Functional check
All modifications to SIS logic are FUNCTIONALLY CHECKED. A checkout procedure should be defined
according to the following steps:
1. The state-of-digital and value-of-analog inputs that are read through the Communication Module from
TMR Logic to the BPCS can be monitored adequately at the BPCS Operator Workstation. Signals
originating within the TMR logic (analog outputs, digital outputs) and any input signals that are
received by the TMR logic and not fed forward to the BPCS will require connecting the TMR
configuration computer to the TMR logic. The TMR configuration computer is used to verify correct
SIS program values when an analog input field transmitter range is altered.
2. To functionally check analog and digital inputs associated with the SIS change, confirm that the TMR
logic is properly reading
a. the state of the digital inputs, and
b. the 0%, 50% and 100% of range signal of the analog input in both counts and engineering units
to validate square root or linear signal.
3. No input points should be disabled unless it is necessary to disable an undesirable trip function. See
H-2 for Management of Change restrictions.
4. To functionally check digital or analog outputs associated with the SIS change either:
a. Simulate a TMR logic input signal that would cause the output value to change state or take a
known analog value; or
b. Disable the associated output register and enter a forcing value.
Procedure No.
Revision Date
Page _ of _

75
ISA-TR84.00.03-2002
NOTE It may become necessary to disable other associated points to allow this output to be transmitted to the field or to
the BPCS. See H-2 for Management of Change restrictions.
c.
Proper output device response must be field validated.
5. Operation of all SIS trip and pre-alarms and first out trip indications that are associated with the
changed logic are validated.
6. All points that were disabled during this functional checkout are returned to the enabled state
following commissioning.
H.3.1.6
Documentation - The following documentation steps are required:
1. TMR logic documentation is completed, backup copies made and, if any logic changes were
implemented, an up-to-date copy of all modified TMR configuration station files are inserted in Master
TMR Logic SIS manual.
2. As a minimum, a printout of the POINT DISABLED file taken just prior to disconnecting from the TMR
Logic is reviewed to ensure that all points not documented as permanently out-of-service are reenabled. Other manuals are to be updated in a timely manner.
3. A copy of the POINT DISABLED listing is sent to the Staff member responsible for the unit's TMR
Logic system.
4. Only documented permanently out-of-service points are left disabled.
5. Printouts of Points Disabled file following each repair must be kept in the file containing the last
completed unit SIS Documentation.
H.3.2
H.3.2.1
Periodic functional testing

Functional test plan
An SIS Functional Test Plan that includes a procedure and that defines documentation is prepared for
each SIS system.
H.3.2.2
Functional test requirement
A functional test of the SIS system is completed on a periodic basis by TMR Logic-qualified personnel.
H.3.2.3
Test plan approval
Operations Department Manager approves the Functional Test Plan.

H.3.2.4
Functional test documentation
Documentation of the completed, SIS functional test results including

1. as found/as left sensor calibration data and
2. pass/fail system response data
is maintained in Process Unit files for at least three years for auditing purposes.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
H.3.2.5
76
Periodic functional tests
All SIS system inputs and outputs, both analog and digital (including those triggering BPCS alarms and
first out indications), are functionally tested on a periodic basis not to exceed the test interval included in
the SIS integrity evaluation. More frequent testing of most field devices is recommended. A procedure
for establishment of the test frequency for each interlock is included in the plants risk management
program.
The functional test procedure includes the following:
1. TMR Logic outputs may be functionally tested by
a. disabling the point,
b. altering its value/state, then
c.
verifying proper action in the field/BPCS Displays/Alarm Displays/etc.
Associated TMR Logic points are disabled and altered as necessary to permit operation of each control
valve that is tripped by TMR Logic. Each control valve is opened to 50% output then tripped
(opened/closed). The proper SIS action of each field automated valve should be field verified. Each
proven SIS action is documented. See H-2 for Management of Change restrictions where forcing of input
and output points is done.
2. TMR Logic input signals (DI/AI) are emulated from the field sensor, valve, or device and are validated
in the TMR Logic and BPCS. Where both field and control room mounted start-stop switches can
trigger an input, correct operation of both must be proven and documented.
3. The installed TMR Logic is compared to the MASTER Program, [<Filename>.UPL] using the Uploadand-Compare Utility function if available. If no program changes are identified, an input-output
functional check of the SIS Logic is not required at the scheduled SIS functional checkout.
Printout the Program Compare Listing and file this listing with the documentation of the sensor and
process actuator functional checks.
H.3.2.6
Complete functional check
A complete, field input-to-SIS valve functional check of the TMR Logic is to be performed at least once
every four years. This check is in addition to the periodic software-compare validation of Step H-3.2.5.
H.3.2.7
Correction of deficiencies
All deficiencies noted during the functional check are corrected unless they have no impact on SIS safety
function integrity. Department Manager approval is obtained and documented in the Functional Checkout
records if a deficiency is not corrected.
Deficiency report
|
||||
|||| ||
||| || | ||| || |
||||
A report is written by a Staff TMR Logic specialist (for the complete input-output check made on a nominal
four year cycle and for other scheduled functional checks) documenting all deficiencies encountered
during commissioning and defining actions planned to eliminate such deficiencies. This information is
filed with the SIS documentation.
||
|---
H.3.2.8
--
Procedure No.
Revision Date
Page _ of _

77
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex J Example of a jumper control list

Jumper
Identification
Number
Installed On
Installed By
Date
Removed From
Removed By
Date
-|
||| || | ||| || |
||||
|||| ||
||||
|
||
A copy of this list should be placed in SIF record file after each functional test is performed.
|---
Procedure No.
Revision Date
Page _ of _

|--||
|
||||
|||| ||
--
||| || | ||| || |
||||

79
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex K Model procedure for on-line test of a high level switch

Obtain the necessary work permit? Verify on test form.
Place the DEFEAT/BYPASS SWITCH for device being tested in the DEFEAT/BYPASS POSITION.
Verify on test form.
Remove level switch cover and check for contamination.
Check if terminal connections are tight.
Close level switch block valves. Open drain valve(s) to depressure switch.
Level interlock check:
a. Set up drain and block valves to flood the float chamber. The alarm should now be on. Verify on.
b. Line up valves to empty the float chamber. The alarm should now be off. Verify off.
c.
Open process valves to level switch.
Return the defeat/bypass switch to run/normal position.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

81
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex L Model procedure for on-line testing of flow sensors in a 1oo2

configuration (high or low trip)
From instrument record system, confirm the following:
Transmitters span
||
|---
Pre-alarm switch setting (if applicable)
||||
Deviation alarm switch setting (if applicable)
|||| ||
Trip alarm switch setting
|
--
Defeat/bypass switch for one transmitter must be in the DEFEAT/BYPASS position before test begins.
Controller(s) using the signals from either transmitter should be in manual position. Make sure that
Operations is set up to monitor the controlled variables while the controllers are in MANUAL mode.
||| || | ||| || |
||||
All confirm ok.
Obtain necessary work permit.

Remove d/p cell junction box cover and check for contamination.
Check that terminal connections are tight.
Check calibration for both transmitters:
a. Close block valves for one transmitter.
b. Connect test gage and pressure regulator to high side of d/p cell. Hook up test milliamp meter to
output.
c.
Check zero by opening equalizing valve, record as found setting.
d. Close equalizing valve and open up d/p cell high side to regulator and test gage.
e. Apply full transmitter span and record output.
f.
Re-calibrate if necessary and record as left setting.
Pre-alarm, trip, and deviation alarm check.

a. Apply pressure that is above the setpoint pressure to the high side of one d/p cell.
b. Gradually reduce pressure until pre-alarm and deviation alarm (if applicable) come on, record as
found setting and alarm status.
Procedure No.
Revision Date
Page _ of _

-|
ISA-TR84.00.03-2002
||| || | ||| || |
c.
82
Gradually reduce pressure until trip switch operates, record as found setting and alarm status.
||||
|||| ||
d. Re-calibrate switch if necessary and record as left setting.
||||
Repeat both tests for other d/p cell.
|
||
|---
Testing of high flow transmitters can be done by raising pressure above high alarm and trip values and
verifying alarm and trip status.
Procedure No.
Revision Date
Page _ of _

83
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex M Model procedure for on-line testing of pressure sensors in a 2oo3

configuration (high or low trip)
Note that this variable must be bypassed or defeated in the SIF logic before testing.
Check deviation alarm (if applicable). The pre-alarm and the trip alarm should not come on during this
check.
a. Lower the pressure of the # 1 transmitter by blocking process and venting transmitter. Deviation
alarm on ( __ ).
b. Restore pressure, clear the alarm.
c.
Lower the pressure of the # 2 transmitter. Deviation alarm on ( __ ).
d. Restore pressure, clear the alarm.

e. Lower the pressure of the # 3 transmitter. Deviation alarm on ( __ )
f.
Restore pressure, clear the alarm.
The following steps involve a check of the logic voting system.

a. All alarms should be clear. If not correct the problem before starting this test.
b. Gradually lower the input pressure of one transmitter until it is below the trip setpoint. Record
alarm conditions below.
c.
Gradually lower the pressure of another transmitter until it is below the pre-alarm setpoint.
Record alarm conditions below.
d. Continue to lower the input until it is below the trip setpoint. Record alarm conditions below.
e. Restore input to one transmitter and record the reset conditions below.
f.
Restore input to the other transmitter and record the reset conditions below.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

84
ISA-TR84.00.03-2002
Step
Deviation alarm
Pre-alarm
Trip
b.
On ( )
Off ( )
On ( )
Off ( )
On ( )
Off ( )
c.
On ( )
Off ( )
On ( )
Off ( )
On ( )
Off ( )
d.
On ( )
Off ( )
On ( )
Off ( )
On ( )
Off ( )
e.
On ( )
Off ( )
On ( )
Off ( )
On ( )
Off ( )
f.
On ( )
Off ( )
On ( )
Off ( )
On ( )
Off ( )
Repeat the above procedure for the other two combinations of transmitters. Record data for as found and
as left values for deviation, pre-alarm, and trip setpoints for each transmitter.
Transmitter
Number
Deviation
alarm as
found
Deviation
alarm as left
Pre-alarm as
found
Pre-alarm as
left
Trip setpoint
as found
Trip setpoint
as left
-|
||| || | ||| || |
This procedure can be used for high deviation, pre-alarm, and trip setpoints also.
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

85
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex N Model procedure for testing temperature switches

Perform the following steps for verification of switch input processing validation and trip check.
1. Set the calibrated temperature bath to allow simulation of the input temperature over the calibrated
range of the temperature switch.
2. Place temperature switch in temperature bath.
3. Increase the simulated temperature until a High temperature pre-alarm and trip occurs as indicated
by the loop documentation (if applicable). Verify and document that pre-alarm and trip occur at
correct set point.
4. Decrease the simulated temperature until the High temperature trip and pre-alarm clears as indicated
by loop documentation (if applicable). Verify and document that trip and pre-alarm clear at correct set
point. Also verify that the SIF does not automatically reset.
-|
||| || | ||| || |
5. Decrease the simulated temperature until a Low temperature pre-alarm and trip occurs as indicated
by loop documentation (if applicable). Verify and document that pre-alarm and trip occurs at correct
set point.
||||
NOTE Increase the simulated temperature until the Low temperature trip and pre-alarm clears as indicated by loop documentation
(if applicable). Verify and document that pre-alarm and trip clear at correct set point. Also verify that the SIF does not automatically
reset.
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

87
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex O Example visual inspection form for SIF

-|
||| || | ||| || |
||||
The SIF system should be visually inspected on some predetermined schedule to see if there are any
problems that should be addressed before or during the functional testing. Since the SIF will not be in
bypass during this inspection, do not open enclosures or devices in order to perform this inspection. This
inspection is intended to be a visual inspection to determine how well the SIF devices have held up during
a period of operation. Examples of items to check are
|||| ||
||||
Instrument Air Supplies
Tubing
Conduit
Instrument Mountings
Hand Switches
Isolation Valves
Enclosure Purges
Instrument Covers
Paper Supply for printers
Alarm Panel Test Lights
Bug Screens
Gauges
||
|---
Heat tracing
Items that need to be addressed should be listed at the bottom of this form and reported to the operations
and maintenance. These items then should be addressed and corrected at the first opportunity allowed
by the process operation.
The inspection should include, but not be limited to the following items.
Verify that all components of the SIF are properly tagged and labeled.
Visually inspect devices for excessive corrosion.
Visually inspect all components to insure proper working condition.
Visually inspect tubing and wiring to insure proper working condition.
Verify that all instrument air supply regulators are at their proper settings.
Verify that all shutdown components are painted red.
Verify that boxes and housings have proper seals and are secure.
Procedure No.
Revision Date
Page _ of _

88
ISA-TR84.00.03-2002
Verify that tubing and cables are properly routed and secure.
Visual checks:
Tagging:
a) Are all instruments in this system tagged with a special tag identifying them as SIF Instrument?
Yes
( )
No
( )
Good
( )
Bad
( )
Insulation
NA
( )
b) Tagging condition:
Process connections:
Valves
NA
( )
Ok
[ ]
Ok
[ ]
Leaks
[ ]
Repairs
[ ]
Corroded
[ ]
Missing
[ ]
Comments
Comments
Heat Tracing
NA
[ ]
Bad
[ ]
Piping
[ ]
Ok
Bad
[ ]
Comments
Conduit system:
OK
Ok
[ ]
Comments
( )
Bad
If bad check below.
( )
Covers off
[ ]
Drains missing [ ]
Supports gone [ ]
Seal needed
[ ]
Flex bad
[ ]
Conduit broken [ ]
Fitting bad
[ ]
Corrosion
[ ]
Other
Details
[ ]
]
Correction made?
Yes
( )
No
( )
Bug screens
ok
[ ]
clean
[ ]
Tubing condition
ok
[ ]
corroded
Control valve:
General
Procedure No.
Revision Date
Page _ of _
||| || | ||| || |
||||
|||| ||
[ ]
]
Trip solenoids
[ ]
Comments
--
missing
||||
None installed
||
[ ]
|---

89
ISA-TR84.00.03-2002
Bug screens
ok
[ ]
clean
Tubing condition
ok
[ ]
corroded
Comments
[ ]
missing
[ ]
[ ]
]
Piping gasket leak [ ] Valve gasket leak
[ ]
Packing gland leak [ ] Sticky stem action
[ ]
Topworks problem [ ]
Details
]
[ ]
Positioner problem
Details
Signal system problem [ ]

Details
Auxiliary device problem [ ]

Details
Once inspection is complete, sign and date below.

?
SIGNATURE
DATE
Operator/Craftsman: ____________________________
Date: _______________
Items needing attention:

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

-|
||| || | ||| || |
||||
|||| ||

||||
|
||
|---

91
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
||
--
1) DECREASE pressure at PT9110 to 1.98 Psig. Verify PXL9110 Activated. RECORD TRIP VALUE
_______________ PSIG.
Steps:
||| || | ||| || |
||||
NOTE When the shutdown reset is activated, a 15 minute timer is activated allowing time for the pilot pressure to increase above
its trip point. However, if the pressure is satisfied prior to that 15 minutes and stays acceptable for at least 15 seconds, another
timer will arm the shutdown and make it active.
|||| ||
||||
PERFORM THE FOLLOWING STEPS TO TEST PASS #1 & #2 PILOT GAS LOW PRESSURE
SHUTDOWN.
|---
Annex P Model procedure for testing a permissive pressure logic point
Initials
Date
2) VERIFY Pilot Gas solenoid XY9111 status XL9111 indicates Tripped (de-energized) and valve
XV9111 closed and HMI indication ZLC9111 indicates a closed valve.
Initials
Date
Initials
Date
3) ACTIVATE HS9617 Reset. Start StopWatch.
4) VERIFY Pilot Gas solenoid status XL9111 is Normal (energized), reset solenoid XY9111 Verify
XV9111 Opens and HMI open indication ZLC9111 indicates an open valve.
Initials
Date
5) WAIT 15-minutes then verify XL9111 valve status alarmed and Valve XV9111 closed. Record
minutes.
Elapsed Time:
Initials
Date
Procedure No.
Revision Date
Page _ of _

92
ISA-TR84.00.03-2002
6) VERIFY Pilot Gas valve Position alarm ZLC9111 is alarmed and indicates a closed valve.
Initials
Date
Initials
Date
7) ACTIVATE HS9617 Reset. Start StopWatch.
8) VERIFY Pilot Gas solenoid status XL9111 is Normal (energized), reset solenoid XY9111, verify
XV9111 Opens.
Initials
Date
9) VERIFY Pilot Gas valve Position alarm XA9111 is normal and ZLC9111 indicates an open valve.
Initials
Date
10) INCREASE the Pressure to Pilot Gas pressure transmitter PT9110 to above the trip point ~ 5Psig.
Verify Reading on PI9110.
Initials
Date
Initials
Date
11) VERIFY Shutdown alarm PXL9110 CLEARS.
12) AFTER a 15 second delay Decrease the Pilot Gas pressure to 1.0 Psig. and VERIFY XL9111
indicated Tripped (de-energized). Record Elapsed time ________________Min.
Initials
Date
13) VERIFY Pilot Gas valve Position alarm XA9111 is alarmed and ZLC9111 indicates a closed valve.
Initials
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
Date
|---

93
ISA-TR84.00.03-2002
14) INCREASE the Pressure to PT9110 to above it max range (~18psig) and verify Transmitter failure
alarm PA9110 Alarmed.
Initials
Date
15) DECREASE the Pressure to PT9110 to below zero (~-1psig) and verify Transmitter failure alarm
PA9110 Alarmed.
Initials
Date
16) INCREASE the Pressure to PT9110 to above its trip point (~5.0psig) and verify shutdown alarm
PXL9110 Cleared.
Initials
Date
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

95
ISA-TR84.00.03-2002
-|
||| || | ||| || |

BODY OF ISA-TR84.00.03-2002.
||||
|||| ||
Annex Q Model procedure for testing a simple SIF
||||
|
||
|---
This test procedure is for a process where high pressure could cause rupture of a vessel and release of a
hazardous gas. The initiator is PT1. PS1 is the hardwired logic and the final control element is PV1.
There is another PSM Critical interlock in this circuit for Low Level LS1. The basic process control
system also mirrors both interlocks by DO1. The simple circuit is shown in the following diagram.
RESET
|
---+--| +-+
|
+--+--+ +--+--+ +-------+ +----+
+----------------------/ \ / \ -------------------+
|
R1
PS1
LS1
DO1
R1
|
|
|
|
|
|
+-------------+
|
+-------+ +------------------------- --------+ SV1 +------------------------------ ----+
|
R1
+-------------+|
|
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
96
PSM critical interlock check method no. 1

Name of event:
Column High Pressure
Test objective:
When column pressure reaches 350 psig (increasing) interlock

pressure automatic valve (PV1)
PSM critical device:
PT1 located on platform beside column at second level
Final control element:
Closes pressure automatic (PV1)
Test frequency:
12 months
Process trip setting:
350 psig + / - 20 psig
Type of test:
Simulate pressure on process side of transmitter to test loop
Test equipment required:
Hand pump with calibrated pressure gauge
Reference prints:
Instrument Dwg. Xxxxx Dwg. Yyyyy
-|
Electrical
||| || | ||| || |
Test to be conducted by:
Dwg. Zzzzz Dwg. Qqqqq
Operations qualified CCR and field operator
||||
E&I qualified instrument technician
|||| ||
Pre-test conditions:
Process shutdown
||||
|
Column shutdown
||
|---
Steam off column
Procedure No.
Revision Date
Page _ of _

97
ISA-TR84.00.03-2002
Set-up requirements:
Operations:
(Underlines next to each step are provided to assist you as check marks. They are not
required to be used.)
CCR operator:
_____
Place the column pressure controller (PC1) on MANUAL and set valve position (PV1) to
open.
Field operator:
_____
Verify the pressure valve (PV1) is open.
-|
||| || | ||| || |
Instrument:
||||
|||| ||
There is a PSM critical interlock (PS1) and a non-PSM critical interlock (DO1). We are testing the PSM
critical interlock and therefore must bypass the non-PSM critical interlock. We must also bypass the Low
Level PSM critical interlock.
||||
Bypass LS1
______
Bypass DO1
______
||
|---
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
98
Procedure:
Instrument:
_____ 1. Connect a hand pump and calibrated gauge to the input of PT1. Apply 300 psig load to PT1.
_____ 2. Slowly increase the simulated pressure until the interlock occurs at 350 psig.
_____ 3. Document the observed trip point. Psig _________.
_____ 4. Inspect to assure the interlock system is in good condition. Inspect conduits, piping,
identification tags, etc.
CCR operator:
_____ 1. Verify that the column high pressure interlock alarm and light activated (PA1).
_____ 2. Verify the pressure controller valve loading (PV1) is still indicating open.
Field operator:
_____ 1. Verify the pressure valve closed (PV1) when interlock activation occurred.
Post test inspection and documentation
CCR operator:
_____ 1. The initial interlock test passed/failed
Instrument:
--
_____ 1. The interlock equipment has been returned to normal and is ready for service.
|
||| || | ||| || |
_____ 2. If the initial interlock test failed, what corrective action was required?
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

-|
99
||| || | ||| || |
ISA-TR84.00.03-2002
||||
|||| ||
||||
|
||
|---

BODY OF ISA-TR84.00.03-2002.
Annex R Model procedure for testing a complex logic system

R.1 Preflash evaporator injection
R.1.1
Pre-test signature requirements
I have read and understand the scope and content of this test, and verify that it is safe to perform the test
as described below.
______________________________________________
Operator (Signature)
Date
I have reviewed this test document, met the prerequisites as detailed in plant policies, briefed all
appropriate personnel, received a written work permit, and am ready to begin the test.
______________________________________________
Technician performing the test (Signature)
R.1.2
Date
Test equipment requirements
Two (2) Thermocouple Temperature Simulators (Type J)
Or,
Three (3) Thermocouple Temperature Simulators (Type J), if available.
Bypass Enable Keyswitch Key for Pre-Flash Evaporator Injection (Located in Bypass
Enable Keyswitch HS-2308).
Two (2) Radios

NOTE
Do not operate radios in the computer room.
NOTES:
All test equipment must be calibrated within one year of this test and have the proper certification
from the on-site metrology laboratory.
Prior to its use, all test equipment must be compared to another identical instrument to ensure the
test equipment is serviceable and ready for use.
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
R.1.3
100
General
Reference: SIF Drawing(s) specific to this system

R.1.4
Valve line-up activities
Before beginning any portion of this test, the Technician Performing the Test shall have an Operator close
the downstream manual injection system valve associated with this system. Since the downstream
manual injection block valve is Car Sealed, the Operator must first remove and dispose of the Car Seal
before closing this valve. Closing of the manual block valve shall be performed in accordance with all
existing site procedures.
Upon completion of this test, the Technician Performing the Test shall inform the Operator the
downstream manual block valve may be opened. Opening of the manual block valve shall be performed
in accordance with all existing site procedures. The Operator must install and lock a new Car Seal on the
manual block valve and record the Car Seal Number in the space provided at the end of this test.
NOTE
R.1.5
See the Testing Tables for detailed instructions and sign-off for the valve line-up activities.
Inspection
Before beginning any portion of this test, the Technician Performing the Test shall ensure that the system
is in a normal Off-line condition and NOT tripped. If the system is tripped, the Technician Performing The
Test shall STOP, and perform the following:
Contact Operations to confirm that the system is in a normal Off-line condition.
Request that Operations Reset the system.
Confirm that all conditions have returned to normal, the system is in a normal Off-line condition, and
the system is NOT tripped.
Confirm downstream manual block valves have been placed into the CLOSED position.
|---
||||
||
Initial _______________
The Thermocouple Input Trip and Manual Reset system indicators are verified, and the Final Control
Devices are tested. Since this system is de-energize to trip, the Final Control Devices will be checked to
ensure they are de-energized and fail to the safe position during a trip, and are energized and return to
the normal position after a Manual Reset.
A hardwired Bypass Enable keyswitch, located on the front door of the Triconex cabinet (the Triconex
cabinet is located in the Computer Room), must be placed into the Bypass Enable position before inputs
can be bypassed. Once enabled, the BPCS Bypass Set and Bypass Reset soft switches are used to
bypass points for maintenance. The BPCS Bypass Set switch sets the triad, pair, or individual input into
bypass (i.e. TE-2307X, TE-2307Y, and TE-2307Z are placed into bypass by BPCS switch HS-2307S).
Individual thermocouples are not typically bypassed (i.e. the Operator is prevented from bypassing ONLY
TE-2307Z).
Procedure No.
Revision Date
Page _ of _

||||
--
This section tests thermocouple input processing, thermocouple trip action, and thermocouple bypass
action. This section requires that Thermocouple Temperature Simulators be connected to the
thermocouple leads prior to beginning the test. At the conclusion of this section, all Thermocouple
Simulators may be disconnected.
|||| ||
Thermocouple input, trip, and bypass action
||| || | ||| || |
R.1.6
101
ISA-TR84.00.03-2002
Table R-1-6A should be used to validate the Thermocouple Input, Trip, and Bypass Action. All BPCS
points for this system can be found on BPCS schematic PREFLASH."
Table R.1.6A Thermocoup le input, trip, and bypass action validation

Testing comment:
The following section prepares the system for testing.
Step
Step Instructions
Expected Result(s)
Check
(Initials)
1.0
Ensure system is NOT tripped.
Verify that System Trip lamp on

switch HS-2306 is NOT lit.
Verify that BPCS tag HXB2306C is NOT in alarm.
2.0
Remove the Car Seal from the DOWNSTREAM injection

system manual block valve and dispose of the Car Seal.
Close the DOWNSTREAM injection system manual block
valve.
Verify the UPSTREAM injection system manual block valve
is Car Sealed.
NOTE If the UPSTREAM injection system manual block
valve is NOT Car Sealed, request the Operator install and
lock a new Car Seal on this valve.
Request the Operator remove

the Car Seal and close the
DOWNSTREAM injection system
manual block valve.
Verify that Operations has
performed this step.
Record the Car Seal of the
UPSTREAM injection system
manual block valve below:
UPSTREAM Car Seal Number:
__________________________
3.0
Verify that BPCS setpoint indicator is correct.
Verify that BPCS setpoint

indicator TSP-2307 reads: 245.0
deg. F.
4.0
Momentarily disconnect Thermocouple TE-2307X.
Verify that BPCS tag TXA2307C, Thermocouple Burnout,

is in alarm.
5.0
Connect a Thermocouple Temperature Simulator to TE2307X.
Verify that temperature readings

are received on BPCS indicator
TI-2307X.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
Testing comment:
102
The following section tests the X and Y thermocouples.

T/C X is driven high, then T/C Y is driven high.
6.0
Drive TE-2307X above the high trip setpoint: 245.0 deg. F.
N/A
7.0
Momentarily disconnect Thermocouple TE-2307Y.

is in alarm.
8.0
Connect a Thermocouple Temperature Simulator to TE2307Y.

TI-2307Y.
9.0
Drive TE-2307Y above the high trip setpoint: 245.0 deg. F.

switch HS-2306 is lit.
Verify BPCS tag HXB-2306C is
in alarm.
Verify BPCS tag TAX-2307C,
High Temperature Trip, is in
alarm.
Verify annunciator TAX-2307A is
in alarm.
Verify that solenoid valves are
de-energized and valves are
OPEN.
XY-2307A, XV-2307A
XY-2307B, XV-2307B
XY-2307C, XV-2307C
XY-2307D, XV-2307D
Note actual temperature on
simulator where trip occurred
and document on the appropriate
SIS Field Function Test Findings
Form.
Record all findings on the
appropriate SIS Field Function
Test Findings Form.
--
Drive TE-2307X below the high trip setpoint: 245.0 deg. F.
Verify "OK to Reset" lamp on

switch HS-2306 is lit and BPCS
tag HXA-2306C is in alarm.
11.0
Drive TE-2307Y below the high trip setpoint: 245.0 deg. F.
N/A
10.0
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

103
Testing comment:
ISA-TR84.00.03-2002

T/C X is driven high, then T/C Y is driven high (Cont.).
12.0
Reset the system by positioning switch HS-2306 to the

System Reset position. Return switch HS-2306 to the
Normal position.

NOT in alarm.
High Temperature Trip, is NOT
in alarm.
NOT in alarm.
energized and valves are
CLOSED.
XY-2307A, XV-2307A
XY-2307B, XV-2307B
XY-2307C, XV-2307C
XY-2307D, XV-2307D
--

Test Findings Form.
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

--
ISA-TR84.00.03-2002
104
|
||| || | ||| || |
Testing comment:
||||
The Bypass for T/C X and T/C Y is tested.
|||| ||
13.0
||||
|
||
|---
14.0
15.0
Confirm that Bypass Enable Keyswitch HS-2308 is NOT in

the Bypass position (the Bypass Enable keyswitch is
located on the front of the Triconex cabinet). Confirm that
inputs can NOT be placed into bypass by selecting BPCS
switch THS-2307S, Bypass Set.
Verify that BPCS tag TAB-2307C

is NOT in alarm.
Place Bypass Enable key HS-2308 in the Bypass position

(NOTE The Bypass Enable Keyswitch is located on the
front of the Triconex cabinet).
Verify that Bypass Enabled

lamp on switch HS-2306 is lit.
Select BPCS switch THS-2307S, Bypass Set.

is in alarm.
Verify that annunciator HA2308A is NOT in alarm.
Verify BPCS tag HXC-2308C is

in alarm.
Verify that annunciator HA2308A is in alarm.

16.0
N/A
17.0

NOT in alarm.
18.0
N/A
19.0
Select BPCS switch THS-2307R, Bypass Reset.

is NOT in alarm.
20.0
Disconnect Thermocouple Temperature Simulator from TE2307Y. Restore Thermocouple TE-2307Y to its normal
configuration.
N/A
Procedure No.
Revision Date
Page _ of _

105
Testing comment:
ISA-TR84.00.03-2002
The following section tests the X and Z thermocouples.

T/C X is high, then T/C Z is driven high.
21.0
Momentarily disconnect Thermocouple TE-2307Z.

is in alarm.
22.0
Connect a Thermocouple Temperature Simulator to TE2307Z.

TI-2307Z.
23.0
Drive TE-2307Z above the high trip setpoint: 245.0 deg.

F.

in alarm.
alarm.
in alarm.
Drive TE-2307Z below the high trip setpoint: 245.0 deg. F.
N/A
26.0

Normal position.

|
--

NOT in alarm.
||| || | ||| || |
||||
25.0
||
Verify BPCS tag HXA-2306C is

in alarm.

||||
|||| ||
24.0
|---

Form.

in alarm.
NOT in alarm.
Procedure No.
Revision Date
Page _ of _

106
ISA-TR84.00.03-2002
Testing comment:
The following section tests the X and Z thermocouples.

The Bypass for T/C X and T/C Z is tested.
27.0

is in alarm.
28.0
N/A
29.0
Drive TE-2307Z above the high trip setpoint: 245.0 deg. F.

NOT in alarm.
30.0
N/A
31.0

is NOT in alarm.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

107
Testing comment:
ISA-TR84.00.03-2002
The following section tests the Y and Z thermocouples.
Connect a Thermocouple Temperature Simulator to TE2307Y.

TI-2307Y.
35.0

in alarm.
alarm.
in alarm.
--

Form.
||
34.0
N/A
||||
Momentarily disconnect Thermocouple TE-2307Y.
|||| ||
33.0
||||
N/A
||| || | ||| || |
Disconnect Thermocouple Temperature Simulator from TE2307X. Restore Thermocouple TE-2307X to its normal
configuration.
32.0
|---
T/C Z is high, then T/C Y is driven high.
36.0

Verify BPCS tag HXA-2306C is
in alarm.
37.0
N/A
38.0

Normal position.

NOT in alarm.
in alarm.
NOT in alarm.
Procedure No.
Revision Date
Page _ of _

108
ISA-TR84.00.03-2002
Testing comment:
The following section tests the Y and Z thermocouples.

The Bypass for T/C Y and T/C Z is tested.
39.0

is in alarm.
40.0
N/A
41.0
Drive TE-2307Z above the high trip setpoint: 245.0 deg. F.

NOT in alarm.
42.0
N/A
43.0
N/A
44.0

is NOT in alarm.
Testing comment:
45.0
The following section restores the system.
Place Bypass Enable key HS-2308 located in Bypass

Enable Keyswitch HS-2308, in the Normal position
Verify that Bypass Enabled

lamp on switch HS-2306 is
NOT lit.
(NOTE the Bypass Enable Keyswitch is located on the

front of the Triconex cabinet).
Verify BPCS tag HXC-2308C is

NOT in alarm.
46.0
Disconnect Thermocouple Temperature Simulators from

TE-2307Y and TE-2307Z.
N/A
47.0
Restore Thermocouples TE-2307Y and TE-2307Z to their

normal configuration.
N/A
48.0
Ensure the system has been returned to normal.
Verify all switch lamps for HS2306 are NOT lit.
49.0
Record all findings on the appropriate SIS Field Function

Test Findings Form.
N/A
R.1.7
Manual trip/Reset logic function validation
Manual Trip and Reset logic function validation is conducted by positioning the switch into the System
Trip and Reset Positions. The Manual Trip and Reset system indicators are verified, and the Final
Control Devices are tested. Since this system is de-energize to trip, the Final Control Devices will be
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

109
ISA-TR84.00.03-2002
-|
||| || | ||| || |
checked to ensure they are de-energized and fail to the safe position during a trip, and are energized and
return to the normal position after a Manual Reset.
||||
|||| ||
Table R-1-7A should be used to validate the Manual Trip and Reset function. All BPCS points for this
system can be found on BPCS schematic PREFLASH."
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

--
110
ISA-TR84.00.03-2002
|
||| || | ||| || |
Table R.1.7A Manual trip and reset logic functionality validation
||||
|||| ||
||||
Step
Step Instructions
Expected Result(s)
Check
|
||
(Initial)
|---
50.0
Initiate a Manual Trip by positioning switch HS-2306 to the

System Trip position. Return switch HS-2306 to the
Normal position.
Verify that System Trip lamp

on switch HS-2306 is lit.
Request operations remove the bleeder cap between the

four valves XV-2307A/B/C/D.
Verify the restriction orifice

located by valves XV2307A,B,C,&D, is leaking to
ground.

in alarm.

de-energized and valves are
OPEN.
XY-2307A, XV-2307A
XY-2307B, XV-2307B
XY-2307C, XV-2307C
XY-2307D, XV-2307D
Test Findings Form.
51.0
Initiate a Manual Reset by positioning switch HS-2306 to

the System Reset position. Return switch HS-2306 to the
Normal position.
Verify that System Trip lamp

on switch HS-2306 is NOT lit.
NOT in alarm.
Verify the restriction orifice
located by valves XV2307A,B,C,&D, is NOT leaking
to ground.
energized and valves are
CLOSED.
XY-2307A, XV-2307A
XY-2307B, XV-2307B
XY-2307C, XV-2307C
XY-2307D, XV-2307D
Test Findings Form.
Procedure No.
Revision Date
Page _ of _

111
Testing comment:
52.0
ISA-TR84.00.03-2002
Restore the system to normal.
Ensure the system has been returned to normal.
Verify all switch lamps for HS2306 are NOT lit.
Request operations re-install the bleeder cap between the

four valves XV-2307A/B/C/D.
53.0
Record all findings on the appropriate SIS Field Function

Test Findings Form.
N/A
54.0
Open the DOWNSTREAM injection system manual block

valve.
Request the Operator open the

DOWNSTREAM injection
manual block valve and install
and lock a new Car Seal onto
the valve.
Install and lock a new Car Seal on the DOWNSTREAM

injection manual block valve.
Verify that Operations has

performed this step.
Record the new Car Seal on
the DOWNSTREAM injection
system manual block valve
below:
DOWNSTREAM Car Seal

Number:
_________________________
R.1.8
Test completed: Time:
R.1.9
Signature identification log
Date:
Print Name
Procedure No.
Revision Date
Page _ of _
Signature
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
112
R.1.10 Post test activities

R.1.10.1 Post test sign-offs
Test Equipment
Model No.
Equip. No.
Date
-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

113
ISA-TR84.00.03-2002
R.1.10.2 Failure log

Step
Device
Failure Description*
Failure
Corrected
Initials
-|
||| || | ||| || |
||||
|||| ||
* Attach additional sheets if necessary
||||
R.1.11
Post-test signature requirements
|
||
|---
I have verified that the system was returned to its normal operational condition and is ready for startup.
______________________________________________
Operator (Signature)
Date
This completed test has been reviewed and all pertinent data has been captured for historical reference.
______________________________________________
Technician Performing the Test (Signature)
Date
Procedure No.
Revision Date
Page _ of _

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

115
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex S Model procedure for testing emergency stop switch

Procedure:
_____1.
Verify that all interlocks are satisfied for operating condition. This may require forcing any
startup permissive interlocks with either a current source or a HART communicator.
_____2.
Notify the control room operator that a test of the emergency stop switch is going to take
place.
_____3.
When the control room operator is ready to begin the test, I/E technician will monitor the
emergency stop relay in the interlock cabinet.
_____4.
Have the control room operator change the emergency stop switch position to stop. Verify
that the relay de-energizes when the switch changes position.
_____5.
Verify that the alarms for process shutdown are actuated.
_____6.
Verify that all valves go to the correct position (field operator).
_____7.
Verify that HMI display indicates correct position for all valves.
_____8.
Return the emergency stop switch to normal position.
_____9.
Did the emergency stop switch shutdown the process correctly? Yes / No (circle one)
____10.
If test of emergency stop switch was not successful, what was required to correct the
situation?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Test performed by: _______________________________
Date ______________
_______________________________
______________
_______________________________
______________
_______________________________
______________
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

117
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex T Model procedure for testing a relay implemented SIF

Vessel exit temperature interlock tests (Loop No. TS-1, TS-2, TS-3)
Responsibility: I = Instrument O = Operations E = Electrical
I/E:
____1.
Bypass all necessary interlocks to reset Feed and Dump interlocks.

In relay cabinet A in building 100: Install jumpers between following terminals:
terminal P21
terminal 8 on relay AR11
jumper terminal 9 on relay AR9
terminal P62
terminal 5 on AR10
terminal 9 on relay AR 16
terminal 9 on relay 17
terminal 8 on Relay AR35
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

118
ISA-TR84.00.03-2002
terminal P41
terminal P42
terminal P33
terminal 5 on relay BR9
Block AR20 Low Feed flow
Block AR10 Dump System
Block AR40
Install jumper in section 4 of Bldg 100 480v switchgear from terminal UA-5 to terminal UE-11.
Install a jumper in section 4 of Bldg 100 480v switchgear from terminal UA-5 to terminal UE-12.
Rack Circulating Pump Breaker into the test position. (This will remove power from the motor.)
Assure that sparge water HS-4544 is in the run position (no water flow).
Install a jumper in relay cabinet A from terminal 5 on relay AR17 to terminal 6 on relay AR33.
E/I:
2. Take the necessary action to satisfy the following interlocks by establishing process
conditions or driving the transmitters with test equipment.
LX-4711
Feed Off-Gas Separator Hi Hi Level
PX-4549
Low low Process Air Pressure
E/I:
3. Disconnect TE-4513 at the tag head and connect a thermocouple simulating device to the tag
head and load to clear the interlock.
O:
4. Activate Dump System reset switch HS-4540
Push start button on circulating pump and observe run condition on BPCS.
a. Verify the following valves are in proper run position.
||||
5. Verify the proper interlocks, audible alarms, or visual indications are not activated.
||| || | ||| || |
O:
|||| ||
The proper valves should now be reset.
||||
||
Activate HS-4593, HS-4594, HS-4541, HS-4571, and HS-4542 resets.
|---
Place HS-2361 in normal position.
--
HV-4508-1 Water valve #1 closed

Procedure No.
Revision Date
Page _ of _

119
ISA-TR84.00.03-2002

HV-4508-3 Water bleed valve open
HV-4503-1 Feed valve open
HV-4503-3 Feed bleed valve closed
E/I:
6. Slowly lower the signal on TE-4513 until the low interlock occurs. Verify the interlock
actuates at correct setting.
O:
7. Verify the Feed interlocks, audible alarms, and visual indications have occurred:
a. HV-4508-1 Water valve #1 open
HV-4508-2 Water valve #2 open
HV-4508-3 Water bleed valve closed
HV-4503-1 Feed valve closed
|---
||||
||
HV-4503-3 Feed bleed valve open

8. Increase the signal on TE-4513 to clear interlock.
O:
9. Activate Feed reset switch HS-4542
--
10. Verify that the Feed interlocks, audible alarms, or visual indications are not activated.
The unit Feed valves should now be reset.
||| || | ||| || |
||||
|||| ||
E:

E/I:
11. Slowly raise the TE-413 signal until the interlock occurs. Verify that the interlock occurs at
the proper setpoint.
O:
12. Verify the Feed interlocks, audible alarms, and visual indications have occurred:
Procedure No.
Revision Date
Page _ of _

--
ISA-TR84.00.03-2002
120
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

E/I:
13. Move the jumper that goes from terminal 11 of AR10 to terminal 13 of AR10. Place it on
terminal 11 of AR10 to terminal 6 of AR37. This will bypass TS2 interlock of TE-4513.
E:
14. Install a jumper from terminal P1 to terminal 10 of AR3.
O:
Block BR14
Connect a voltmeter to terminal 6 on relay AR40. Verify the presence of voltage to this
point.
15. Activate the Feed reset switch HS-4542.

The unit valves should now be reset.
O:
16. Verify that the interlocks, audible alarms, or visual indications are not activated.
b. Verify the presence of power on terminal 6 of AR10.
E/I:
17. Slowly raise the signal on TE-4513 until the interlock occurs. Verify that the interlock occurs
at proper setpoint.
O:
18. Verify the interlocks, audible alarms, and visual indications have occurred.
Procedure No.
Revision Date
Page _ of _

121
ISA-TR84.00.03-2002
||
|---
||||

verify the loss of voltage on terminal 6 on relay AR40.
Move the jumper that goes from terminal 11 on relay AR17 to terminal 9 on relay AR24.
Place it on terminal 10 on relay AR17 to terminal 8 on relay AR24.
Move the jumper that goes from terminal 5 on relay AR31 to terminal 4 on relay AR17.
Place it on terminal 5 on relay AR31 to terminal 6 on relay AR36.
Remove the jumper that goes from terminal 9 on relay AR35 to terminal 6 on relay AR36.
||| || | ||| || |
19. To verify redundant relays on interlock, move the following jumpers:
E/I:
20. Repeat steps 2-4.
E/O:
21. Verify that the proper interlocks, audible alarms, and visual indications are not activated.
Using terminal 6 on relay AR22 as a common point, verify the presence of voltage to
neutral indicating Feed interlock is reset.
Using terminal 6 on relay AR40 as a common point, verify the presence of voltage to
neutral indicating LV-4586 and FV-2141 is reset.
E/I:
22. Slowly raise the TE-4513 signal until the interlock occurs. Verify the interlock occurs at the
correct setpoint.
E/O:
23. Verify that the proper interlocks, audible alarms, and visual indications are activated.
Using terminal 6 on relay AR22 as a common point, verify the presence of no voltage to
neutral indicating Feed interlock.
Using terminal 6 on relay AR$0 as a common point, verify the presence of no voltage
indicating LV-4586 and FV-2141 interlock.
E/I:
24. To verify redundant feed interlock by the redundant dump relay block relay AR11 and unblock
relay AR10.
E/I:
25. Repeat steps 20, 21, 22, and 23.
E/I:
26. To verify redundant preheater interlock by the redundant dump relay:
Move the jumper from terminal 5 on relay AR15 to terminal 5 on relay AR10. Place it on
terminal 5 on relay AR15 to terminal 4 on relay AR10.
27. Move jumper from terminal 5 on AR5 to terminal 4 on AR11. Place it from terminal 5 on AR5
to terminal 8 on AR4.
E/I:
28. Repeat steps 2, 3, 4, 15, 16, 17, and 18.
Procedure No.
Revision Date
Page _ of _

--
E/I:
||||
|||| ||
b.
ISA-TR84.00.03-2002
E:
122
29. Remove all jumpers and return loops to their normal mode of operation.
Reference Drawings:
Schematics, ladder logic and wiring diagrams.
-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

123
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex U Model procedure for testing SIF watchdog timer

Description: Because the interlocks implemented in the SIF require a high level of integrity, a watch dog
timer system has been implemented. This system will provide an external check of the operating
condition of the SIF processor and its associated I/O cards. This is accomplished by utilizing a relay and
an associated circuit, which must be periodically pulsed in order to stay energized. This pulsing signal is
generated within the SIF configuration and is output to the WDT. If the external WDT detects a loss of
pulsing signal, the WDT relay will de-energize. This will activate an alarm as well as certain interlocks. All
hard-wired interlocks will be dropped out.
All three of the outputs are paralleled as inputs to the watchdog timer.
Output #2 is programmed with input #2. This input has only one field connection, which is the neutral
side of the input. The intent of the input is to detect an input card failure. If this occurs, the input goes
high which causes the output to go high. This prevents the external watchdog timer from pulsing and
eventually causes it to trip.
Output #1 is unconnected in the BPCS logic. This point is to detect an output card failure, which will
cause the point to go high and trip the timer.
Output #3 is programmed to pulse (square wave) the external watchdog timer. Timing between the pulse
and the watchdog is critical to the watchdog relay staying energized. At least two pulses per timer
interval are needed to keep the timer energized.
Procedure:
_____1.
Put the interlock bypass switch in the SIF program to the bypass position.
_____2.
Verify the interlock bypass alarm energizes on the BPCS.
_____3.
Verify the process being protected by the SIF is running and the following safety interlock
relays are energized: 5860-R, 1454-R, 5808-R, and 3105-R.
_____4.
Hold in the SIF WDT test button in the SIF cabinet and using a stopwatch, measure the time
required for the SIS WDT relay to de-energize.
_____5.
Document the time required for the WDT circuit to the interlocks: ______ seconds
(set point = 2 seconds, tolerance = 1.5 seconds).
_____6.
Verify the WDT alarm sounds from the BPCS.
_____7.
Verify the WDT safety relay, 5860-R, de-energized.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

-|
ISA-TR84.00.03-2002
||| || | ||| || |
124
Test performed by:
||||
|||| ||
||||
___________________________________
Date _______________
___________________________________
_______________
|
||
|---
Procedure No.
Revision Date
Page _ of _

125
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex V-1 Model procedure for on-line testing of sensor logic

Safety Instrumented System on-line testing procedure
SECTION 1 - GENERAL INFORMATION
Recommended Personnel required to accomplish this Trip System Test is 2 Technicians and 1
Operator. Each step shall be completed and initialed by the Instrument Craftsman. An Operations
representative shall track the actions of the procedure, participate in the procedure as described and
manage the Bypass Switches, Keys and Bypass Log Book.
____ 1.
Test Equipment List

(1) Fluke Multimeter
(2) Precision DC Milliamp/Voltage source
||
|---
(1) Thermocouple Simulator
||||
(1) Pneumatic hand pump with 0-15 psig test gauge
Obtain a Current version of the "SIS description" and "SIS Calibration Sheets" before
continuing.
SECTION 2 - GENERAL SYSTEM CHECKOUT

____ 1.
Lamp test all ICS matrix LEDs on ICS Panel by pushing the Lamp test pushbutton in the
lower right hand corner of the matrix. Replace all malfunctioning LEDs.
SECTION 3 - TRIP SYSTEM CHECKOUT (TRIP ALARMS)

NOTE TDC controllers and alarms are located on TDC Hi-ways 1 and 2. Sequence of Events (SOE) Recorder points are located
on the LCN Universal Station Console located in the Computer Room.
____ 1.
At the ICS, panel matrix, place Output Bypass switch HS-1253 in "BYPASS." Verify
illumination of the amber LEDs at the bypass key switches. Also verify "I-1 System
Procedure No.
Revision Date
Page _ of _

--
(1) 24VDC Power Supply
||| || | ||| || |
(1) Wallace & Tiernan Calibrator
____ 2.
|||| ||
||||
(1) Honeywell Smart Field Communicator
126
ISA-TR84.00.03-2002
Bypassed" lights at Shutdown Switches HS-1252 and HS-1291 are illuminated at the TDC
console.
NOTE The Output bypass switch is used to allow testing of the trip alarms since the Input Bypass switch is before
the Trip Alarm.
____ 2.
Verify the Trip transmitter (TT-1244) matches the Pre-Alarm transmitter (TT-1245) at TDC
point T1244DCC. Operations Note: Monitor TDC point T1245.CC. Manually Trip the East
Riser Diversion at shutdown switch HS-1252 located at the TDC console if: the temperature
(T1245.CC) drops below TSLL-1244 trip point or Control Room Annunciator Shutdown alarm
"XA-1345A Riser #1 Catalyst Slide Valve" trips. Monitoring the alarm is necessary since the
Output Bypass Switch is in Bypass which disables East Riser Diversion.
____ 3.
Connect the necessary test equipment to simulate the process at the transmitter below.
Calibrate transmitter, remove equipment, return to service, and fill out calibration sheet. Refer
to the Calibration Sheets and using a Honeywell Smart communicator verify the transmitter
Fail Modes are correct. Verify the Smart Communicator indicates the ID properly. Disconnect
the Smart Communicator upon completion of the above verification.
____ A.
____ 4.
TT-1244
Follow this step to verify the alarms and TDC indication for TT-1244.
____ A. Connect voltage simulator to input jacks of TT-1244 trip card. Verify TDC indication
for Transmitter TT-1244 (Group 504). Simulate the process to 0, 50, & 100% of
calibrated range. Verify the TDC Displays within 2% and verify the units are correct.
Fill out calibration sheet for TY-1244.
____ B. Test the Trip System/Process Control Transmitter high deviation alarm for TT-1244 &
1245.
--
Set TT-1244 equal to the process Temperature indicated TT-1245. Verify

TDC alarm T1244DCC is not in alarm.
____ 2.
Decrease TT-1244 temperature and verify TDC alarm T1244DCC alarms as

the temperature reaches 10% below TT-1245. Set TT-1244 equal to the
process temperature indicated by TT-1245. Verify TDC alarm T1244DCC
clears.
____ 3.
Increase TT-1244 temperature and verify TDC alarm T1244DCC alarms as

the temperature reaches 10% above TT-1245. Set TT-1244 equal to the
process Temp indicated by TT-1245. Verify TDC alarm T1244DCC clears.
____ 4.
Verify alarms listed below in step "C" are clear.
____ 1.
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
____ C. Observing TT-1244 Trip Card LED, verify TSLL-1244 LED illuminates Red at the
Calibration Sheet specified (V) setting. Verify the input LED on ICS panel
extinguishes at TSLL-1244 trip point. Verify the alarms listed below trip 2 minutes
after TT-1244 input LED extinguishes. Complete TSLL-1244 calibration sheet.
____ 1.
Hi-way 1 TDC Trip Alarm "T1244ZCC."
____ 2.
Control Room Annunciator Trip Alarm "TALL-1244A"
Procedure No.
Revision Date
Page _ of _

127
____ 3.
ISA-TR84.00.03-2002
Sequence of Events Recorder Alarm "T1244ZCC"
Disconnect all test equipment from TY-1244.
____ E.
Verify that TSLL-1244 is in a non-trip condition (ICS panel matrix green input LED
for TSLL-1244 is illuminated). Verify the Trip transmitter (TT-1244) matches the
Pre-Alarm transmitter (TT-1245) at TDC point T1244DCC.
____ F.
Return Output Bypass switch HS-1253 to "Normal."
____ A.
____ 7.
Connect the necessary test equipment to simulate the process at the transmitter below. Refer
Fail Modes are correct. Verify the Smart Communicator indicates the ID properly.
Disconnect the Smart Communicator upon completion of the above verification. Calibrate
transmitter, remove equipment, return to service, and fill out calibration sheet.
____ A.
____8.
TT-1245A
TT-1245B
Follow this step to verify the Pre-alarms and TDC indication for TT-1245.
____ A.
Connect simulator in marshalling cabinet (refer to loop sheet T1245.cc) Verify TDC
indication for Transmitter TT-1245A. Apply 0, 50 and 100% to the TDC and verify
the TDC displays accurately within 2% and the units are correct. Leave at 100%
and verify alarms listed below in step "B" are clear. If transmitter A is selected
check TDC on T1245.CC. If transmitter B is selected check TDC on T1245.BCC.
____ B.
Observing TSL-1245 Moore Industries Alarm Card LED verify TSL-1245 Red LED
extinguishes at the Calibration Sheet specified (V) setting. Complete the
calibration sheet for TSL-1245 and adjust the trip card setting as needed. Verify
alarms listed below are in alarm.
____ 1. Hi-way 1 TDC Pre-Alarm "T1245LCC."

____ 2. Control Room Annunciator Pre-Alarm "TAL-1245A"
____ C.
Disconnect all test equipment. Verify the Pre-Alarm transmitter matches the Trip
transmitter at TDC point T1244DCC.
____ D.
Return controller T1245.CC to "Automatic."
Procedure No.
Revision Date
Page _ of _

||||
Connect the necessary test equipment to simulate the process at the transmitter below. Refer
Fail Modes are correct. Verify the Smart Communicator indicates the ID properly.
Disconnect the Smart Communicator upon completion of the above verification. Calibrate
transmitter, remove equipment, return to service, and fill out calibration sheet.
||| || | ||| || |
____ 6.
At the TDC console, place controller TRC-1245 in "Manual." Operations Note: Monitor the
Trip Transmitter at TDC point "T1244DCC" and make adjustments to the process as
needed at controller T1245.CC. Slide Valve differential pressure controller PDRC-1304
should remain in Automatic to maintain the DP if needed.
--
____ 5.
|||| ||
||||
||
|---
____ D.
ISA-TR84.00.03-2002
128
Comments ___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
|---
CRAFTSMAN SIGNATURE: _____________________________
--
||| || | ||| || |
||||
|||| ||
||||
||
DATE: _____________
Procedure No.
Revision Date
Page _ of _

--
129
ISA-TR84.00.03-2002
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

BODY OF ISA-TR84.00.03-2002.
Annex V-2 Model procedure for testing sensor logic

See Annex V-1 for preliminary information.
____ 1.
At the ICS panel matrix, place LSHH-1404/LSHH-1418 bypass switch HS-1404 in "Bypass."
____ 2.
Verify illumination of the amber LEDs at the bypass keyswitches. Also verify "I-1 System
console.
____ 3.
Verify TDC Tag: L1404.CC & L1418.CC Level indications match. Operations Note: Monitor
the Pre-alarm transmitter (L1417.CC) since the Trip transmitters will be out of service.
Locate manual shutdown switch HS-1321, 1343 and 1436 on the TDC console. If the level
indicated by L1417.CC increases above LSHH-1404/1418 trip setting, operations should
Manually trip Riser #1 and 2 Regenerated Catalyst Slide valve by switching HS- 1321 and
HS-1343 to SHUTDOWN.
____ 4.
Follow this step to connect a Smart communicator and ID transmitters LT-1404 & 1418.
____ A.
Disconnect the Power from the positive (+) terminal of transmitter LT-1418.
NOTE
This must be done so that the Smart Communicator may communicate with LT- 1404.
____ B.
Refer to the Calibration Sheets and using a Honeywell Smart communicator verify
transmitter LT- 1404 Fail Mode is correct. Verify the Smart Communicator indicates
the ID properly. Disconnect the Smart Communicator upon completion of the above
verification.
____ C.
Reconnect the Power to the positive (+) terminal of transmitter LT-1418.
____ D.
Disconnect the Power from the positive (+) terminal of transmitter LT-1404.
NOTE
This must be done so that the Smart Communicator may communicate with LT- 1418.
____ E.
transmitter LT- 1418 Fail Mode is correct. Verify the Smart Communicator indicates
the ID properly. Disconnect the Smart Communicator upon completion of the above
verification.
____ F.
Reconnect the Power to the positive (+) terminal of transmitter LT-1404.
____ 5.
Follow this step to verify the alarms for LT-1404 & 1418.
Procedure No.
Revision Date
Page _ of _

130
ISA-TR84.00.03-2002
____ A.
____ B.
Connect the necessary test equipment to simulate the process at the transmitters
below. Calibrate transmitter, remove equipment, return to service, and fill out
calibration sheet.
____ A.
LT-1404
____ B.
LT-1418
Test the Trip Transmitters high deviation alarm for LT-1404 & 1418.
____ 1.
Connect simulators to wiring to control room.
____ 2.
Set LT-1404 to 50% of the calibrated range. Set LT-1418 to 50% of the
calibrated range. Verify TDC alarm L1402DCC is not in alarm (Group 210).
____ 3.
Maintain LT-1404 signal at 50% of the calibrated range. Decrease LT1418 signal and verify TDC alarm L1402DCC alarms as the signal reaches
40% of the calibrated range of LT-1418. Set LT-1418 to 50% of the
calibrated range. Verify TDC alarm L1402DCC clears (Group 210).
____ 4.
Maintain LT-1418 signal at 50% of the calibrated range. Decrease LT1404 signal and verify TDC alarm L1402DCC alarms as the signal reaches
40% of the calibrated range of LT-1404. Set LT-1404 to 50% of the
calibrated range. Verify TDC alarm L1402DCC clears (Group 210).
____ 5
Complete LSD-1402 Calibration Sheet.
____ 6
Remove simulators and reconnect.
____ C.
Connect simulator to input jacks of LT-1404 & 1418 trip cards. Verify TDC indication
for Transmitter LT-1404 & 1418 (TDC tag: L1404.CC & L1418.CC Group 210).
Simulate the process to 0, 50, & 100% of calibrated range. Verify the TDC Displays
within 2% and verify the units are correct. Leave at 50% and verify alarms listed
below in step "E" are clear. Fill out calibration sheets for LY-1404 & 1418.
____ D.
Observing LT-1404 Trip Card LED, decrease LT-1404 and verify the Ronan LED
illuminates Red at the Calibration Sheet specified (V) setting. Verify alarms listed
below are in alarm. Fill out LSLL-1404 calibration sheet. Return to 50% and verify
alarms in step E clear.
____ E.
Observing LT-1418 Trip Card LED, decrease LT-1418 and verify LSLL-1418 Ronan
LED illuminates Red at the Calibration Sheet specified (V) setting. Verify alarms
listed below are in alarm. Fill out LSLL-1418 calibration sheet. Return to 50% and
verify alarms are clear.
____ F.
____ A.
Hi-way 1 TDC Trip Alarm "L1403BCC." Group 405
____ B.
Control Room Annunciator Trip Alarm "LALL-1403A"
____ C.
Sequence of Events Recorder Alarm "L1403BCC"
Observing LT-1404 Trip Card LED, increase LT-1404 and verify LSHH-1404 Ronan
Trip Card LED illuminates Red at the Calibration Sheet specified (V) setting.
Complete LSHH-1404 calibration sheet. Set LT-1404 above LSHH-1404 trip point.
Verify alarms listed below in step "G" are clear.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

131
____ G.
ISA-TR84.00.03-2002
Observing LT-1418 Trip Card LED, increase LT-1418 and verify LSHH-1418 Ronan
Trip Card LED illuminates Red at the Calibration Sheet specified (V) setting.
Complete LSHH-1418 calibration sheet. Verify alarms listed below are in alarm.
____ A.
Hi-way 1 TDC Trip Alarm "L1403XCC." Group 405
____ B.
Control Room Annunciator Trip Alarm "LAHH-1403A"
____ C.
Sequence of Events Recorder Alarm "L1403XCC"
____ H.
Disconnect all test equipment.
____ I.
Verify that LSHH-1404 and LSHH-1418 are in a non-trip condition (ICS panel matrix
green input LEDs for these inputs are illuminated). Verify TDC indication for LT1404 and 1418 match.
____ J.
Return LSHH-1404/LSHH-1418 bypass switch HS-1404 to "Normal."
Comments ___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
DATE: _____________
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

133
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex V-3 Model procedure for on-line testing sensor logic

____ 1.
At the ICS panel matrix, place PSLL-1328/1329 Input bypass switch HS-1328 in "Bypass."
Verify illumination of the amber LEDs at the bypass key switches. Also verify "I-1 System
console.
____ 2.
Verify TDC Tag: P1328.CC & P1329.CC DP indications match. Operations Note: Monitor
the Pre-alarm transmitter (P1326.CC) since the Trip transmitters will be out of service.
Locate manual shutdown switch HS-1321 on the TDC console. If the (P1326.CC) DP across
the Regenerated Catalyst Slide valve falls below PDSLL-1328/1329 Trip Setting, then a
manual trip of the Regen Cat Slide valve may be necessary.
____ 3.
Follow this step to connect a Smart communicator and ID transmitters PDT-1328 & 1329.
____ A.
Disconnect the Power from the positive (+) terminal of transmitter PDT-1329.
NOTE
This must be done so that the Smart Communicator may communicate with PDT-1328.
____ B.
the transmitter PDT-1328 Fail Mode is correct. Verify the Smart Communicator
indicates the ID properly. Disconnect the Smart Communicator upon completion of
the above verification.
____ C.
Reconnect the Power to the positive (+) terminal of transmitter PDT-1329.
____ D.
Disconnect the Power from the positive (+) terminal of transmitter PDT-1328.
NOTE
This must be done so that the Smart Communicator may communicate with PDT -1329.
____ E.
the transmitter PDT-1329 Fail Mode is correct. Verify the Smart Communicator
indicates the ID properly. Disconnect the Smart Communicator upon completion of
the above verification.
____ F.
Reconnect the Power to the positive (+) terminal of transmitter PDT-1328.
____ 4.
Follow this step to verify the alarms for PDT-1328 & 1329.
____ A.
Connect the necessary test equipment to simulate the process at the transmitter
below. Calibrate transmitter, remove equipment, return to service, and fill out
calibration sheet.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||

|---
134
ISA-TR84.00.03-2002
____ B.
____ A.
PDT-1328
____ B.
PDT-1329
Connect simulators to PT-1328 & PT-1329 wiring to control room. Test the Trip
Transmitters high deviation alarm for PDT-1328 & 1329.
____ 1.
Set PDT-1328 to 50% of the calibrated range. Set PDT-1329 to 50% of the
calibrated range. Verify TDC alarm P1327DCC is not in alarm.
____ 2.
Maintain PDT-1329 signal at 50% of the calibrated range. Decrease PDT1328 signal and verify TDC alarm P1327DCC (Group 185) alarms as the
signal reaches 40% of the calibrated range of PDT-1328. Set PDT-1328 to
50% of the calibrated range. Verify TDC alarm P1327DCC clears.
____ 3.
Maintain PDT-1328 signal at 50% of the calibrated range. Decrease PDT1329 signal and verify TDC alarm P1327DCC (Group 185) alarms as the
signal reaches 40% of the calibrated range of PDT-1329. Set PDT-1329 to
50% of the calibrated range. Verify TDC alarm P1327DCC clears.
____ 4.
Complete PDSD-1327 Calibration Sheet.
____ 5.
Remove simulators and reconnect.

____ C.
Verify TDC indication for Transmitter PDT-1328 & 1329 (TDC tag: P1328.CC &
P1329.CC). Simulate 0, 50, & 100% of calibrated range. Verify the TDC Displays
within 2% and verify the units are correct. Leave at 100% and verify alarms listed in
step "F" are clear. Fill out calibration sheets for PY-1328 & 1329.
____ D.
Observing PDT-1328 Trip Card LED, decrease PDT-1328 signal and verify PDSLL1328 LED illuminates Red at the Calibration Sheet specified (V) setting. Complete
PDSLL-1328 calibration sheet. Set PDT-1328 DP above PDSLL-1328 trip point.
____ E.
Observing PDT-1329 Trip Card LED, decrease PDT-1329 signal and verify PDSLL1329 LED illuminates Red at the Calibration Sheet specified (V) setting. Complete
PDSLL-1329 calibration sheet. PDT-1329 should remain in the trip condition.
____ F.
Verify PDT-1329 ICS EP-01, I-1 Green Input LED is extinguished. Decrease PDT1328 signal and verify PDT-1328, I-1 EP-01 Input LED extinguishes at PDSLL- 1328
trip setting. Verify the alarms listed below trip 30 seconds after PDT-1328 input LED
extinguished.
Hi-way 1 TDC Trip Alarm "P1342ZCC." Group 404
____ B.
Control Room Annunciator Trip Alarm "PDALL-1342A"
____ C.
Sequence of Events Recorder Alarm "P1342ZCC"

|
--
Procedure No.
Revision Date
Page _ of _
||||
Verify that PDSLL-1328 and PDSLL-1329 are in a non-trip condition (ICS panel
matrix green input LEDs are illuminated). Verify PDT-1328 & 1329 TDC Indications
match (TDC point P1328.CC & P1329.CC).
|||| ||
____ H.
||||
Disconnect all test equipment from PDT-1328 & 1329, PDY-1328 & 1329 and PDSD1327. Place transmitters PDT-1328 and PDT-1329 back in service.
||| || | ||| || |
____ G.
||
|---
____ A.

135
____ I.
ISA-TR84.00.03-2002
Return PDSLL-1328/1329 bypass switch HS-1328 to "Normal."
-|
||| || | ||| || |
Comments ___________________________________________________________
___________________________________________________________
||||
|||| ||
___________________________________________________________
||||
|
||
___________________________________________________________
|---
___________________________________________________________
___________________________________________________________
DATE: _____________
Procedure No.
Revision Date
Page _ of _


-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

137
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex W Model procedure for on-line final control element functional testing
Overview
This section has been developed to test I-1 SIF solenoids and/or valves on-line without initiating an actual
trip.
SIF Trip valves which are normally open may not be actuated. The trip valves that are Normally Open,
with latching solenoids are setup to allow solenoid valve testing. The solenoid valve wires will be lifted in
the field at the GUA conduit fitting terminal strip. All defective or corroded terminal strips shall be
replaced as required. A 24VDC power supply will be connected to the solenoid to trip the solenoid valve.
The valve will not be tripped from the ICS Emergency Trip System. The ICS Output line monitor provides
continuous testing of the Solenoid Circuit between the ICS cabinet and the solenoid valve. Therefore, it is
not necessary that the final control element be tested from the ICS cabinet.
The trip valves that are Normally Open, having any type of trip solenoid valve other than a Manual reset
solenoid are currently not setup to test the solenoid valves.
SIF Trip valves which may be blocked before and after the Trip Valve and are normally closed shall be
actuated.
____ 1.
Obtain Final Control Element Checkout Sheets for the following Solenoid valves.
____ HY-1224B
____ HY-1229B
____ FY-1247B
____ 2.
An operations representative must be present through each step of this Section. Obtain the
applicable permits as required to function each valve and/or solenoid.
____ 3.
Follow this step to verify operation of trip valve HV-1224, "Emergency Steam to Riser #1
Feed Line."
____ A.
Obtain a current copy of Loop Dwg H1224.CC and "Final Control Element Checkout
Sheet" for HY-1224B.
____ B.
Verify operations manually blocked the 3" manual valve after HV-1224.
____ C.
Remove HY-1224B Solenoid valve GUA conduit fitting cover. Visually inspect the
terminal connectors in the GUA fitting.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||

|---
ISA-TR84.00.03-2002
138
Verify the wire colors match the Loop Drawing.
____ E.
Replace terminal strip if defective or corroded. Reconnect the Reset solenoid and field
wires to the terminal strip if terminal strip replacement was done. Initial this step if
terminal strip replacement was required. If replacement is required but material is not
available then write comments in the "Final Control Element Checkout Sheet."
____ F.
Disconnect the TRIP Solenoid Valve Wires from the GUA terminal block.
____ G.
Verify the Output Line Monitor Fault RED LED is illuminated on the Alarms Matrix"
located on the front of the ICS, "Common Services Panel."
____ H.
Verify Annunciator alarm "XA-5842A" and Hiway 1 TDC alarm "X5842BCC" are in the
alarm condition.
____ I.
To apply 24VDC to the Trip coil, connect the 24VDC power supply to the lifted wires.
____ J.
Verify HV-1224 trips to the open position.
____ K.
Disconnect the power supply from the Trip Solenoid valve, re-terminate the trip solenoid
valve wires to the terminal strip and verify the valve remains in the Open position.
____ L.
Verify the Output Line Monitor Fault RED LED is extinguished on the " Alarms Matrix"
____ M.
Verify Annunciator alarm "XA-5842A" and Hiway 1 TDC alarm "X5842BCC" are clear.
____ N.
Disconnect the Reset Solenoid Valve Wires from the GUA terminal block.
____ O.
To apply 24VDC to the Reset Coil, connect the 24VDC power supply to the lifted wires.
____ P.
Verify HV-1224 Resets to the Closed position.
____ Q.
Disconnect the power supply from the Trip Solenoid valve and re-terminate the reset
solenoid valve wires to the terminal strip. Verify the valve remains in the closed position.
Replace the GUA fitting cover.
____ R.
Verify operations opened the 3" manual valve after trip valve HV-1224.
____ S.
Complete "Final Control Element Checkout Sheet" for solenoid HY-1224B.

Follow this step to verify operation of trip valve HV-1229, "Emergency Lift Steam to Riser #1."
Remove HY-1229B Solenoid valve GUA conduit fitting cover. Visually inspect the
____ D.
Verify the wire colors match the Loop Drawing.
____ E.
Replace terminal strip if defective or corroded. Reconnect the Reset solenoid and field
wires to the terminal strip if terminal strip replacement was done. Initial this step if
|||| ||
____ C.
||||
Verify operations manually blocked the 3" manual valve after HV-1229.
||| || | ||| || |
____ B.
Obtain a current copy of Loop Dwg H1229.CC and "Final Control Element Checkout
Sheet" for HY-1229B.
--
____ A.
||||
____ 4.
||
|---
____ D.
Procedure No.
Revision Date
Page _ of _

139
ISA-TR84.00.03-2002
terminal strip replacement was required. If replacement is required but material is not
available then write comments in the "Final Control Element Checkout Sheet."
____ F.
Disconnect the TRIP Solenoid Valve Wires from the GUA terminal block.
____ G.
Verify the Output Line Monitor Fault RED LED is illuminated on the " Alarms Matrix"
____ H.
alarm condition.
____ I.
____ J.
Verify HV-1229 trips to the open position.
____ K.
Disconnect the power supply from the Trip Solenoid valve, re-terminate the trip solenoid
valve wires to the terminal strip and verify the valve remains in the Open position.
____ L.
____ M.
Verify Annunciator alarm "XA-5842A" and Hiway 1 TDC alarm "X5842BCC" are clear.
____ N.
Disconnect the Reset Solenoid Valve Wires from the GUA terminal block.
____ O.
To apply 24VDC to the Reset Coil, connect the 24VDC power supply to the lifted wires.
____ P.
Verify HV-1229 Resets to the Closed position.
____ Q.
Disconnect the power supply from the Trip Solenoid valve and re-terminate the reset
solenoid valve wires to the terminal strip. Verify the valve remains in the closed position.
Replace the GUA fitting cover.
____ R.
Verify operations opened the 3" manual valve after trip valve HV-1229.
____ S.
Complete "Final Control Element Checkout Sheet" for solenoid HY-1229B.
Verify operations removed the Car Seal from the "3- way Manual Bypass Valve" at FV1247.
Switch the "3-way Manual Bypass Valve" at FV-1247 to the "BYPASS" position.
____ C.
Remove FY-1247B Solenoid valve GUA conduit fitting cover. Visually inspect the
____ D.
Replace terminal strip if defective or corroded. Initial this step if terminal strip
replacement was required. If replacement is required but material is not available then
write comments in the "Final Control Element Checkout Sheet."
____ E.
Disconnect the Solenoid Valve Wires from the GUA terminal block.
Procedure No.
Revision Date
Page _ of _

||||
--
||| || | ||| || |
||||
____ B.
|||| ||
NOTE Observe FV-1247 for valve movement while completing the next step. FV-1247 should remain in the same position
while turning the "3-way Manual Bypass Valve" to the Bypass Position.
||
____ A.
Follow this step to verify the operation of trip valve FY-1247B, "Recycle Sourwater."
|---
____ 5.
140
ISA-TR84.00.03-2002
____ F.
____ G
alarm condition.
____ H.
____ I.
Verify solenoid valve FV-1247 vents and the pressure gauge located on the "3-way
Manual Bypass Valve" local panel decreases to 0 PSIG.
____ J.
Disconnect the power supply from the Trip Solenoid valve and re-terminate the solenoid
valve wires to the terminal strip.
____ K.
Verify the Output Line Monitor Fault RED LED is extinguished on the Alarms Matrix"
____ L.
Verify (AN-01) Annunciator alarm "XA-5842A" and Hiway 1 TDC alarm "X5842BCC" are
clear.
____ M.
Manually reset the solenoid valve and verify the pressure gauge located on the "3-way
Manual Bypass Valve" local panel returns to the signal output from E/P (FY-1247A).
____ N.
Return the "3-way Manual Bypass Valve" at FV-1247 to the "NORMAL" position.
____ O.
Verify operations replaced the Car Seal on the "3-way Manual Bypass Valve" control
panel at FV-1247.
____ P.
Complete "Final Control Element Checkout Sheet" for solenoid FY-1247B.
Comments ___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
DATE: _____________
--
Procedure No.
Revision Date
Page _ of _
|
||| || | ||| || |
||||
|||| ||
||||
||
|---

141
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex X Model procedure for on-line testing of compressor SIF

GENERIC GUIDELINES
This is the on-line test procedure for the Wet Gas Compressor shutdown system. It is expected that this
system will be tested yearly according to the accompanying procedure. All testing must be done in strict
adherence to all the instructions and requirements of this test procedure. All test equipment must be
verified before using for the function test. All test results must be recorded on the Control Systems
function test worksheet. This form must be dated and signed and must be forwarded to the Control
Systems CSE at the completion of the test.
In addition to this Testing procedure, there is a written Mitigation Plan and a Specific Maintenance
Procedure for this SIF. Craftsmen must be familiar with the mitigation plan and the testing and
maintenance procedures before commencing testing.
Testing of this system and any repair/maintenance items require the implementation of the Mitigation Plan
or the unit must be shut down.
If maintenance is required based on what is found during the test, the craft must perform maintenance in
strict adherence to the maintenance procedures for this system. For example, if any device is recalibrated
or replaced, fill out calibration sheets. Document all other maintenance in field notes attached to the
function test worksheet.
NOTES FOR ON-LINE TEST PREPARATION
The Wet Gas Compressor System cannot be fully tested on-line because the two shutdown outputs,
Motor Stop Contacts and the Discharge Trip Valve, cannot be allowed to operate while the unit is running.
The following procedures are designed to give the tester the best possible assessment of the functionality
of each shutdown loop without actually initiating a shutdown of the compressor. These procedures should
only be used for a standard yearly function test of the system. A full inspection should occur at the three
year interval during turnaround.
1) Override ICS trip outputs
Since there is not a bypass switch for the compressor motor contacts, X-11871, or a bypass valve around
the compressor discharge trip valve, XV-11855, these outputs must be defeated using the keyswitch
output override key. This key is located at the lower right hand corner of the system test tray on the ICS
panel. Turn this keyswitch to the OVERRIDE position - indicated by override LEDs on output modules
and bypass light on Control Board Handswitch. The ICS shutdown system can no longer perform the trip
of the compressor and trip of the discharge valve. However, the manual shutdown switches will still
shutdown the machine, but not trip the discharge valve.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
142
2) Defeat the ICS auto-test system

The auto-test system routinely tests the operation of the ICS cabinet by testing the input modules, logic
modules, and output modules. These tests will activate the LEDs on the face of the I/O cards, making it
difficult to analyze the results of the function test being performed. Therefore, the auto-test should be
defeated. To defeat the auto-test sequence, turn the auto-test keyswitch from the AUTO to MANUAL
position.
Audit performed by: __________________________
Date: ________
Control systems representative: _________________
Date: ________
Operations representative: _____________________
Date: ________
For the on-line function test, the actual Trip Outputs and the Shutdown Handswitches cannot be tested.
Further, the ICS Auto-Test System is continually checking the logic. Therefore, only the Shutdown Inputs
and Input Bypasses need be verified by this function test.
1) L-11609 East First Stage Dry Drum High Level Trip
A. Preparation ( Craftsman )
1. Ensure ICS Cabinet is in Output Override
______
Override LEDs on Output Modules

are illuminated
______
-|
Bypass Light on HS-11871-A
||| || | ||| || |
is illuminated
______
||||
|||| ||
Bypass Light on HS-11855 is

______
NA-11555A in alarm
______
||||
illuminated
|
||
|---
2. Check calibration for LT-11609.
______
3. Check that all S/D components are painted

red and all have a red tag.
______
B. Function Test (Craftsman/Inspector)

1. Verify LY-11609 Analog Input Trip Setting by
selecting the toggle switch to A and pressing
the meter pushes button. Read the trip setting off
of the Analog Display Module and record this
value as the As Found value under the ICS
Procedure No.
Revision Date
Page _ of _

143
ISA-TR84.00.03-2002
Trip Card column.
______
2. Simulate signal to check trip setting.
______
3. Verify trip indicators.
______
LAHH-11609 in alarm
______
ICS Output Cards LED

changed state
______
4. Set bypass key switch to ENABLE position

and move toggle switch on LY-11609 input card
--
______
5. Verify Input Bypass indicator.
______
to the BYPASS position.
||| || | ||| || |
||||
|||| ||
Bypass LED on Input Card

is illuminated
______
||||
|
||
______
7. Verify trip indicator.
______
|---
6. Simulate signal to check trip.
LAHH-11609 in alarm
______
8. Return system to ready to operate mode.
______
Disconnect field test equipment
______
Verify NOT in S/D condition
______
Return LY-11609 bypass toggle

switch to the center position.
______
9. Complete required forms.
______
Malfunction Sheet
______
DPMC-3319
______
2) L-11608 West First Stage Dry Drum High Level Trip

A. Preparation (Craftsman)
1. Ensure ICS Cabinet is in Output Override."
Override LEDs on Output Modules are illuminated
Procedure No.
Revision Date
Page _ of _

______
______
ISA-TR84.00.03-2002
144
Bypass Light on HS-11871-A is illuminated
______
Bypass Light on HS-11855 is illuminated
______
NA-11555A in alarm
______
______

______
B. Function Test ( Craftsman/Inspector )

the meter push button. Read the trip setting off
Trip Card column.
______
______
______
LAHH-11608 in alarm
______
ICS Output Cards LED changed state
______
--
|
||| || | ||| || |

______
______
||||
|||| ||
||||
|
Bypass LED on Input Card is illuminated
______
||
|---
______
______
LAHH-11608 in alarm
______
______
______
______
Procedure No.
Revision Date
Page _ of _

145
ISA-TR84.00.03-2002

______
______
Malfunction Sheet
______
DPMC-3319
______
3) L-11621 Second Stage Dry Drum High Level trip

A. Preparation ( Craftsman )
______
______
______
______
NA-11555A in alarm
______
______

______
B. Function Test ( Craftsman/Inspector )

||
|---
______
______
LAHH-11621 in alarm
______
ICS Output Cards LED

changed state
______
Procedure No.
Revision Date
Page _ of _

|||| ||
--
||||
______
||| || | ||| || |
Trip Card column.
||||
ISA-TR84.00.03-2002
146

______
______
Bypass LED on Input Card

--
is illuminated
______
|
||| || | ||| || |
______
______
||||
|||| ||
LAHH-11621 in alarm
______
||||
______
|
||
|---
______
______

______
______
Malfunction Sheet
______
DPMC-3319
______
4) L-11843 First Stage Suction Boot High Level Trip

______
______
______
______
NA-11555A in alarm
______
______

______
Procedure No.
Revision Date
Page _ of _

147
ISA-TR84.00.03-2002

Trip Card column.
______
______
______
LAHH-11843 in alarm
______
______

______
______
______
______
______
LAHH-11843 in alarm
______
______
______
______

______
______
Malfunction Sheet
______
DPMC-3319
______
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
148
5) L-11857 Second Stage Suction Boot High Level Trip

______
______
______
NA-11555A in alarm
______
______
--
||| || | ||| || |
||||
|||| ||
||||
|---
______
||

______

1. Verify LY-11857 Analog Input Trip Setting by selecting
the toggle switch to A and pressing the meter push button.
Read the trip setting off of the Analog Display Module and record
this value as the As Found value under the ICS
Trip Card column.
______
______
______
LAHH-11857 in alarm
______
______

______
______
______
______
______
Procedure No.
Revision Date
Page _ of _

149
ISA-TR84.00.03-2002
LAHH-11857 in alarm
______
______
______
______

______
______
Malfunction Sheet
______
DPMC-3319
______
6) L-11895 Overhead Seal Oil Tank Low Level Trip

______
______
______
______
NA-11555A in alarm
______
2. Check calibration for LSLL-11895.
______

______
______
2. Verify trip indicators
______
______
--
and move toggle switch on LSLL-11895 input

______
Procedure No.
Revision Date
Page _ of _
||||
|
card to the BYPASS position.
|||| ||
||||
______
||| || | ||| || |
LALL-11895 in alarm
||
|---
ISA-TR84.00.03-2002
150
______
______
______
______
LALL-11895 in alarm
______
______
______
______
Return LSLL-11895 bypass toggle

______
______
Malfunction Sheet
______
DPMC-3319
______
7) P-11876 C-6800 Low Lube Oil Pressure Trip

______
______
______
______
NA-11555A in alarm
______
|||| ||
||||
||| || | ||| || |
______
2. Check calibration for PT-11876.
||||
||
|---
______

1. Verify PT-11876 Analog Input Trip Setting by selecting
the toggle switch to A and pressing the meter push button.
Read the trip setting off of the Analog Display Module and record
Procedure No.
Revision Date
Page _ of _
--

151
ISA-TR84.00.03-2002
this value as the As Found value under the ICS

Trip Card column.
______
______
3. Verify trip indicators
______
PALL-11876 in alarm
______
______

and move toggle switch on PT-11876 input card
______
______
______
______
______
PALL-11876 in alarm
______
______
______
______
______
||||
||
|---
Return PT-11876 bypass toggle
______
______
DPMC-3319
______
--
8) N-11555-AA/AB High Axial Vibration Trip
||| || | ||| || |
Malfunction Sheet
||||
|||| ||
NOTE
These loops must be audited by maintenance.
______
______
______
Procedure No.
Revision Date
Page _ of _

152
ISA-TR84.00.03-2002
______
NA-11555A in alarm
______
2. Check condition of vibration monitors and wiring harness.
______

______

1. Simulate signals to check trip settings.
______
______
NAHH-11555-D in alarm
______
______

and move toggle switch on NIS-11555-AA/AB
input card to the BYPASS position.
______
______
______
______
______
NAHH-11555-D in alarm
______
______
______
______
Return NIS-11555-AA/AB bypass

toggle switch to the center position.
______
______
Malfunction Sheet
______
DPMC-3319
______
9) N-11555-Z1/6 C-6800 High Radial Vibration Trip
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

153
ISA-TR84.00.03-2002
These loops must be audited by maintenance.

______
______
______
______
NA-11555A in alarm
______
2. Check condition of vibration monitors and wiring harness.
______

______

1. Simulate signals to check trip settings.
______
______
NAHH-11555-C in alarm
______
______
3. Set bypass key switch to ENABLE position and move

toggle switch on NIS-11555-Z1-6 input card to the BYPASS position.
______
______
______
______
______
NAHH-11555-C in alarm
______
______
______
______
||||
||
|---
______
--
Procedure No.
Revision Date
Page _ of _
||||
______
||| || | ||| || |
toggle switch to the center position.
|||| ||
Return NIS-11555-Z1-6 bypass

ISA-TR84.00.03-2002
154
Malfunction Sheet
______
DPMC-3319
______
Restoring the System to Normal Operation

This completes this SIS Inspection. Ensure that all shutdown inputs are in the normal run condition.
Return the bypass toggle switches on each input module to the center position and turn the bypass
keyswitch to the OFF position. Return the Output Override Keyswitch to the NORMAL position. Return
the ICS Auto-Test keyswitches to the NORMAL and AUTO positions.
Comments ___________________________________________________________
___________________________________________________________
--
___________________________________________________________
|
||| || | ||| || |
___________________________________________________________
||||
___________________________________________________________
|||| ||
||||
___________________________________________________________
|
||
|---
___________________________________________________________
___________________________________________________________
___________________________________________________________
DATE: _____________
Procedure No.
Revision Date
Page _ of _

155
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex Y Model procedure for on-line testing of 2oo3 temperature elements

SAFETY CRITICAL
******************
TASK NO:
TAG NO.:
MT284-HCO
PID NO:
901-198-25A, 28A, 30B, 31A
LOGIC DIA.:
901-191-856, 857, 859
SERVICE:
-----------ACETYLENE CONVERTERS M-R-03D, HIGH OPERATING BED TEMPERATURE CUTOUT
************************************************************************
System description:
----------------------This is a 2 out of 3 trip logic system. High operating bed temperature trip will operate all valves listed
below.
Final control elements:
-----------------MR011-BV (closes), MR014-BV (opens), MR015-BV (closes),
MR065-BV (closes).
NOTE:
-------1. The thermocouples used in this trip circuit are upscale burnout.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

156
ISA-TR84.00.03-2002
2. MT284-HCOA is the common alarm for this trip system.

3. Defeat alarm:
MT282-DSA
Discrepancy alarm: MT287-DIA

High temp alarm:
MT283-HA
4. TDC point alarms are on Console 3A, group C-8.

5. Before proceeding, verify that no other potential trip alarm conditions exist for M-R-03D by observing
alarm panel status. If an abnormal condition exists, turn to appropriate inspection procedure and
correct problem. Defeat switch common alarm must be OFF.
CHECK
On ( )
Off ( )
Access the INSTRUMENT RECORD SYSTEM and confirm the following:

Transmitter range
[ 0 to 1100 deg F ]
High alarm setpoint
[ 400 deg F ]
High confirmed CHECK
Yes
( )
No
( )
NOTIFY OPERATIONS
*********************
INSPECTION APPROVAL
Time and Date
Initials Operations Supervisor
CAUTION:
------------Individual defeat switches MT242, MT243, MT244, MT245, MT246, MT247, MT248, MT249, MT250,
MT251-DS or the Master defeat switch, MR03D-DS must be in defeat position before inspection begins.
Verify defeat position by observing red light and defeat alarm. Shutdown of all acetylene converters will
occur if switches are not in Defeat position.
-|
||| || | ||| || |
NOTICE:
-----------
||||
|||| ||
Remind Console Operator to follow precaution plan for Defeat of any Safety Critical System, and also to
log this defeat in the Safety Critical System Defeat Log."
||||
Check
( )
|
||
|---
1. Did you obtain necessary work permit ?

Which type ?
Hot work
Yes ( ) No ( )
( )
Instrument
( )
2. This check cannot be done if M-R-03D is in REGEN mode.

Procedure No.
Revision Date
Page _ of _

157
ISA-TR84.00.03-2002
3. If M-R-03D is in Stand-by mode, have Operations put it in On-line mode.

4. Control room check:
a. Go to the TDC Console, record the current readings listed below.
Point temperatures:
1st set
2nd set
3rd set
TDC point
degF
degF
degF
degF
MT310 [
MT319 [
MT328 [
MT243 [
MT311 [
MT320 [
MT329 [
MT244 [
MT312 [
MT321 [
MT330 [
MT245 [
MT313 [
MT322 [
MT331 [
MT246 [
MT314 [
MT323 [
MT332 [
MT247 [
MT315 [
MT324 [
MT333 [
MT248 [
MT316 [
MT325 [
MT334 [
MT249 [
MT317 [
MT326 [
MT335 [
MT250 [
MT318 [
MT327 [
MT336 [
MT251 [
MT288 [
MT289 [
MT337 [
--
MT242 [
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
b. Compare the readings. If there is any transmitter which needs to be repaired or replaced, do it first
before continuation of this inspection.
c.
Verify the high alarm set point at the TDC console.

Check
OK
( )
Check
OK
( )
d. Verify the high cutout set point at the TDC console.
Procedure No.
Revision Date
Page _ of _

158
ISA-TR84.00.03-2002
5. Remove thermocouple head cover and check condition for contamination.

Ok ( )
Bad ( )
MT310
Ok ( )
Bad ( )
MT243
Ok ( )
Bad ( )
MT311
Ok ( )
Bad ( )
MT244
Ok ( )
Bad ( )
MT312
Ok ( )
Bad ( )
MT245
Ok ( )
Bad ( )
MT313
Ok ( )
Bad ( )
MT246
Ok ( )
Bad ( )
MT314
Ok ( )
Bad ( )
MT247
Ok ( )
Bad ( )
MT315
Ok ( )
Bad ( )
MT248
Ok ( )
Bad ( )
MT316
Ok ( )
Bad ( )
MT249
Ok ( )
Bad ( )
MT317
Ok ( )
Bad ( )
MT250
Ok ( )
Bad ( )
MT318
Ok ( )
Bad ( )
MT251
Ok ( )
Bad ( )
MT288
Ok ( )
Bad ( )
MT319
Ok ( )
Bad ( )
MT328
Ok ( )
Bad ( )
MT320
Ok ( )
Bad ( )
MT329
Ok ( )
Bad ( )
MT321
Ok ( )
Bad ( )
MT330
Ok ( )
Bad ( )
MT322
Ok ( )
Bad ( )
MT331
Ok ( )
Bad ( )
MT323
Ok ( )
Bad ( )
MT332
Ok ( )
Bad ( )
MT324
Ok ( )
Bad ( )
MT333
Ok ( )
Bad ( )
MT325
Ok ( )
Bad ( )
MT334
Ok ( )
Bad ( )
MT326
Ok ( )
Bad ( )
MT335
Ok ( )
Bad ( )
MT327
Ok ( )
Bad ( )
MT336
Ok ( )
Bad ( )
MT289
Ok ( )
Bad ( )
MT337
Ok ( )
Bad ( )
--
MT242
|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
6. Thermocouple burnout check:

a. Disconnect thermocouple input one at a time at head for below listed thermocouples.
b. When any sensor failure occurs, the point temperature will read upscale for thermocouple open
circuit failures. The discrepancy alarm will also come on. Disconnect each thermocouple sensor
one at a time as listed in the following table and verify this action.
Procedure No.
Revision Date
Page _ of _

159
ISA-TR84.00.03-2002
Discrepancy alarm
MT242
On ( )
Off ( )
MT243
On ( )
Off ( )
MT244
On ( )
Off ( )
MT245
On ( )
Off ( )
MT246
On ( )
Off ( )
MT247
On ( )
Off ( )
MT248
On ( )
Off ( )
MT249
On ( )
Off ( )
MT250
On ( )
Off ( )
MT251
On ( )
Off ( )
MT310
On ( )
Off ( )
MT311
On ( )
Off ( )
MT312
On ( )
Off ( )
MT313
On ( )
Off ( )
MT314
On ( )
Off ( )
MT315
On ( )
Off ( )
MT316
On ( )
Off ( )
MT317
On ( )
Off ( )
MT318
On ( )
Off ( )
MT288
On ( )
Off ( )
MT319
On ( )
Off ( )
MT320
On ( )
Off ( )
MT321
On ( )
Off ( )
MT322
On ( )
Off ( )
MT323
On ( )
Off ( )
MT324
On ( )
Off ( )
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

160
ISA-TR84.00.03-2002
MT325
On ( )
Off ( )
MT326
On ( )
Off ( )
MT327
On ( )
Off ( )
MT289
On ( )
Off ( )
7. Perform 2 out of 3 voting logic check:

a. Disconnect 1st input. Only the discrepancy alarm should come on. The high alarm and the
cutout alarm should not come on.
b. Disconnect 2nd input. The high alarm and the cutout alarm should come on.
c.
Record condition of cutout alarm below.
d. Reconnect both inputs. Record condition of the cutout alarm below.

e. Repeat procedures above for all combinations in the table below.
MT242
MT310
X
X
MT319
MT311
X
X
MT320
On ( ) Off ( )
X
On ( ) Off ( )
Reconnect
Cutout alarm
On ( ) Off ( )
On ( ) Off ( )
On ( ) Off ( )
X
--
Procedure No.
Revision Date
Page _ of _
||| || | ||| || |
||||
|||| ||
||||
||
Cutout alarm
On ( ) Off ( )
MT243
Reconnect
On ( ) Off ( )
|---

161
MT244
MT312
ISA-TR84.00.03-2002
MT321
Reconnect
Cutout alarm
On ( ) Off ( )
X
X
MT245
MT313
On ( ) Off ( )
On ( ) Off ( )
MT322
On ( ) Off ( )
Reconnect
Cutout alarm
On ( ) Off ( )
X
X
On ( ) Off ( )
On ( ) Off ( )
X
MT246
MT314
MT323
MT315
Reconnect
Cutout alarm
On ( ) Off ( )
MT247
On ( ) Off ( )
On ( ) Off ( )
On ( ) Off ( )
MT324
On ( ) Off ( )
Reconnect
Cutout alarm
On ( ) Off ( )
X
X
On ( ) Off ( )
On ( ) Off ( )
X
On ( ) Off ( )
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

162
ISA-TR84.00.03-2002
MT316
MT325
Reconnect
Cutout alarm
--
MT248
|
||| || | ||| || |
||||
On ( ) Off ( )
X
On ( ) Off ( )
On ( ) Off ( )
|||| ||
On ( ) Off ( )
Reconnect
Cutout alarm
||||
X
|
||
|---
MT249
MT317
X
X
MT250
MT318
X
X
MT251
MT288
X
X
MT326
On ( ) Off ( )
X
On ( ) Off ( )
On ( ) Off ( )
MT327
On ( ) Off ( )
Reconnect
Cutout alarm
On ( ) Off ( )
On ( ) Off ( )
On ( ) Off ( )
MT289
On ( ) Off ( )
Reconnect
Cutout alarm
On ( ) Off ( )
On ( ) Off ( )
On ( ) Off ( )
X
On ( ) Off ( )
8. Final control elements check:

a. Notify Operations that you are ready for the final control elements trip actuation. Have
Operations prepare the final control elements for trip actuation check.
Procedure No.
Revision Date
Page _ of _

163
ISA-TR84.00.03-2002
b. As per Operations procedure for final control elements check, simulate a trip condition. Change
the status of the defeat switch and observe the actuation of the valve. Record status below.
Defeat
MR011-BV actuation
MR014-BV actuation
ON
Yes ( ) No ( )
Yes ( ) No ( )
OFF
Yes ( ) No ( )
Yes ( ) No ( )
Defeat
MR015-BV actuation
MR065-BV actuation
ON
Yes ( ) No ( )
Yes ( ) No ( )
OFF
Yes ( ) No ( )
Yes ( ) No ( )
9. Transmitter calibration:
Type K Thermocouple
a. Disconnect thermocouple leads from the terminals.

b. Connect a millivolt source (Transmation or equivalent) to the input of the transmitter.
c.
Connect a milliamp meter to the output of the transmitter.
d. Check transmitter zero and span. Record as found values below.

e. Re-calibrate, if necessary and record as left values.
f.
Proceed to next transmitter

until all transmitter listed have been checked.
MT242-T
MT310-T
MT319-T
MT328-T
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
||| || | ||| || |
||||
|||| ||
||||
||
|---
As found LRL, ma dc
--
Procedure No.
Revision Date
Page _ of _
164
ISA-TR84.00.03-2002
MT243-T
MT311-T
MT320-T
MT329-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
MT244-T
MT312-T
MT321-T
MT330-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
MT245-T
MT313-T
MT322-T
MT331-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
MT246-T
MT314-T
MT323-T
MT332-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

165
MT324-T
MT33-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
MT316-T
MT325-T
MT334-T
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
|||| ||
||||
||| || | ||| || |
--
As found LRL, ma dc
||||
MT248-T
|---
MT315-T
||
MT247-T
ISA-TR84.00.03-2002
MT249-T
MT317-T
MT326-T
MT335-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
MT250-T
MT318-T
MT327-T
MT336-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
Procedure No.
Revision Date
Page _ of _

166
ISA-TR84.00.03-2002
MT251-T
MT288-T
MT289-T
MT337-T
As found LRL, ma dc
As left LRL, ma dc
As found URL, ma dc
As left URL, ma dc
10. Replace all covers.

11. Visual checks:
Tagging:
a. Are all instrument in this task tagged with a special tag identifying them as Critical Instrument?
Yes
( )
No
( )
As Critical Instrument ( )
As Safety Critical Instrument
b. Tagging condition:
( )
Good
( )
Bad
( )
Bad
( )
If bad check below.
Conduit system:
OK
( )
Covers off
[ ]
Drains missing [ ]
Supports gone
Seal needed
[ ]
Flex bad
[ ]
Conduit broken [ ]
Fitting bad
[ ]
Corrosion
[ ]
Other
Details
Correction made?
[ ]
[ ]
]
Yes
( )
No
( )
Block valve:MOV MR011-BV

Piping gasket leak [ ]
Valve gasket leak
[ ]
Packing gland leak [ ]
Sticky stem action
[ ]
Details

Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||

|---
167
ISA-TR84.00.03-2002
Valve gasket leak
[ ]
Sticky stem action
[ ]
Details

Valve gasket leak
[ ]
Sticky stem action
[ ]
Details

Valve gasket leak
[ ]
Sticky stem action
[ ]
Details
12. Verify that ALL cutout alarms are now OFF.

Check On
( )
13. Return ALL individual defeat switches and Master Defeat switch to in
Off
( )
SERVICE position.
Check ( )
14. Notify Operations
---------------------Time and Date
Inspection complete.
-----------------------
---------------------------------------
Initials Tech.
Initials Maint. Supvr.
************************************************************************
RECOMMENDED CORRECTIVE ACTION
Procedure No.
Revision Date
Page _ of _
(comment below)
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

|--||
|
||||
|||| ||
||||
||| || | ||| || |
|
--

169
ISA-TR84.00.03-2002
-|
||| || | ||| || |

BODY OF ISA-TR84.00.03-2002.
||||
Annex Z Model procedure for testing final control elements when manual
bypass valves are provided
|||| ||
||||
Converter Output Trip Verification
|
||
|---
This procedure will test the trip outputs by opening the T/C (Upscale Burnout). Two thermocouple inputs
will be disconnected to simulate a trip condition and the solenoids and trip indications will be verified. This
test will cause a total system trip.
End Device Isolation
In order to validate that the interlock will perform its associated trip action when required, it is necessary
to periodically test the end control devices such as control valves, block valves, and motor operated
valves. However, in an on-line testing situation the unit operations cannot be altered or upset. Therefore,
appropriate provisions should be made to isolate these end devices. This following section is intended to
cover the methods necessary to perform this isolation in a safe manner.
Valve Isolation
Valves should be isolated in accordance with plant operating guidelines and safety guidelines.
WARNING!
Once the following valves are bypassed, the Converters cannot be tripped automatically by the SIF.
Therefore, the Control Room Operator should monitor closely all critical process variables and notify the
Field Operator immediately if an upset condition occurs so that he can remove all bypasses and allow the
SIF to trip the converters.
The following steps should be taken:
1. Before attempting to perform this critical portion of the on-line test, verify with the Operations
Representative that it is safe to isolate and test the affected equipment.
Initials ______ Date:
2. Isolate the Shutdown Solenoid Valve (XV-5318) to the Hydrogen Feed Control Valve (FV-5318). This
is accomplished as follows:
Remove the car-seal from hand operated valve HS-5318 located on the bypass panel by the control
valve.
Turn hand valve HS-5318 until the solenoid valve is isolated.
Procedure No.
Revision Date
Page _ of _

170
ISA-TR84.00.03-2002
Connect instrument air supply to test port on bypass panel and apply air pressure.
3. Isolate the Shutdown Solenoid Valve (XV-5324) Hydrogen Feed Block Valve (FV-5324). This is
accomplished as follows:
Remove the car-seal from hand operated valve HS-5324 located on the bypass panel by the block
valve.
4. Isolate the Shutdown Solenoid Valve (XV-5325) to the Hydrogen Feed Control Valve (FV-5325). This
is accomplished as follows:
Remove the car-seal from hand operated valve HS-5325 located on the bypass panel by the control
valve.
5. Isolate the Shutdown Solenoid Valve (XV-5323) Hydrogen Feed Block Valve (FV-5323). This is
accomplished as follows:
Remove the car-seal from hand operated valve HS-5323 located on the bypass panel by the block
valve.
6. Place Converter Inlet Motor Operated Valve MOV-5379 in Test Bypass. This is accomplished by
placing the MOV-5379C S/D Bypass Test switch located on the local bypass panel in the Bypass
position. The amber shutdown bypass light located at the bypass panel box will illuminate to indicate
that the Shutdown/Bypass switch is in the bypass position. V5379S in TDC will also indicate MOV5379 bypassed.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

171
ISA-TR84.00.03-2002
7. Place Converter Outlet Motor Operated Valve MOV-5390 in Test Bypass. This is accomplished by
placing the MOV-5390C S/D Bypass switch located on the local bypass panel in the Bypass
position. The amber shutdown bypass light located at the bypass panel box will illuminate to indicate
that the Shutdown/Bypass switch is in the bypass position. V5390S in TDC will also indicate MOV5390 Bypassed.
8. Isolate the Shutdown Solenoid Valve (XV-5386) Temperature Control Valves (TV-5386A & TV5386B). This is accomplished as follows:
Remove the car-seal from hand operated valve HS-5386 located by the control valve under the
Converter fin fans.
9. Isolate the Converters Flare Vent Valves (V-5379 and V-5376). This is accomplished as follows:
Remove the car-seal and close the manual block valve located directly upstream of the automatic
block valves (V-5379 and V-5376).
-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

173
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex AA Example of a testing documentation form for off-line tests

(Example on following page.)
-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

-|
174
||| || | ||| || |
ISA-TR84.00.03-2002
||||
|||| ||
INST.
SERVICE
||||
NO.
PROCESS
DEVICE
SETTINGS
SETTING
FAILURE LIMITS
AS
Failed?
FOUND
LEFT
(Mark with
AS
||
|---
XV-5083
XV-7092
XV-7104
XV-7128
XV-7132
XV-8505
XV-8506
XV-8511
LEVEL, 1ST. STG.

SUCTION DRUM.
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LEVEL, . STG.
SUCTION DRUM.
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LEVEL, 3RD. STG.

SUCTION DRUM
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LEVEL, 4 TH. STG.

SUCTION DRUM.
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LEVEL, 4 TH. DISC.

SUCTION DRUM
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LUBE OIL PRESSURE
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
TRIP RELAY FOR

MANUAL S/D
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
MAIN HEADER
15# Dec.
13.5# DEC. TO
TRIP RELAY
XV-8701
XV-8702
XV-8703
XV-8909
16.5# DEC.
LEVEL, 1ST. CASE

SEAL OIL POT.
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LEVEL, 2ND. CASE

SEAL OIL POT.
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LEVEL, 3RD. CASE

SEAL OIL POT.
TRIP 3# DEC.
TRIP 3# DEC.
RESET 10 INC.
RESET 10 INC.
LOW GOV. OIL
15# Dec.
13.5# DEC. TO
PRESS. S/D RELAY

XV-8910
LOW SUCT. DRUM
16.5# DEC.
15# Dec.
PRESS. S/D RELAY

PI-5083
PI-7092
PI-7104
13.5# DEC. TO
16.5# DEC.
OUTPUT OF LS-5083
0#
0# TO 2#
ON S/D BOX
20#
18# TO 22#
OUTPUT OF LS-7092
0#
0# TO 2#
ON S/D BOX
20#
18# TO 22#
OUTPUT OF LS-7104
0#
0# TO 2#
ON S/D BOX
20#
18# TO 22#
Procedure No.
Revision Date
Page _ of _

175
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex BB Model SIF testing policy statement

The policy related to SIF testing shall apply to the SIF installed at this facility unless approved in writing
by the facility safety review committee.
Policy Statement:
1. There is a requirement that our Safety Instrumented Functions be tested from the sensor all the way
through the final control element. Some systems may require on-line test capability since they are
normally operated longer than the one-year nominal test interval.
It is understood that in some applications, exercising the final control element (control valve, motor,
etc.) is not practical while the unit is running. In these applications, provisions shall be made to test
the system all the way through the solenoid valve or motor starter interface relay. These final control
elements shall then be exercised at the first opportunity (i.e., during unit turnaround).
Any by-pass system installed to enable on-line testing will have safeguards installed to ensure the
system is not accidentally defeated or left in the by-pass position. This shall include alarming when in
the bypass position, use of key lock switches, written procedures regarding bypasses, etc.
2. If a SIF has failed its proof test in two consecutive tests due to the same problem, a recommendation
shall be made to location management for a specific corrective action plan. One part of this plan is a
root cause analysis of the problem. Note that just replacing a failed component is not sufficient. If
further data is needed to identify the problem or to assure that the problem has been eliminated by
the corrective action, an adjustment in the proof-testing interval may be recommended.
3. The following will be used in the future as a definition of a "Failed Proof Test." (Note that Proof Test
and Functional Test are the same test.) A Failed Proof Test is defined as a test result indicating that
the system is not functioning within the defined process variable tolerance and may not be performing
to its designed specifications. A default value of +/- 10 percent of the process variable setpoint shall
be used unless the test procedure specifies a more specific tolerance value.
E.g., a pressure transmitter was calibrated from 0-100 psi with an 80-psi high pressure trip setting. If
this system tripped within 10% of 80 psi (e.g., between 72 psi and 88 psi), this system has
successfully passed its proof test. The intent is that the proof test be conducted before any repairs or
modifications are made to the system.
The following definitions apply to redundant inputs. On systems with a 1oo2 input architecture, if one
of the transmitters passes the above proof test, then the system is defined as passing. In this case,
one of the transmitters may have failed but the system would still have functioned as designed. On
systems with a 2oo3 input architecture, if two of the transmitters pass the proof test requirements, the
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
176
system is defined as passing.
4. Reports outlining the results of proof tests shall be sent to the facility safety review committee within
30 days of a test. The report shall state the systems performance as well as any deficiency. These
reports shall be filed with the SIF documentation for a period of three years.
5. All SIF are required to be functionally tested in accordance with a test schedule based on the SIL
determination criteria for the SIF. The test schedule should indicate the month (schedule month) and
year in which the next function test is to be performed. The test due date is the last day of the
scheduled month. A test performed any time within the scheduled month is considered "in
compliance."
||
|
||||
|||| ||
--
||| || | ||| || |
||||
If a test is performed after its scheduled month, the test is considered "out of compliance with proof
testing interval" until the test is performed unless the test is formally deferred (see Annex B). The
scheduled month, though, would not need to be changed for subsequent tests because it would still
fall within the required test interval in the next test cycle. The scheduled month may be changed to
the month in which the test was actually performed to take advantage of the entire allowed test
interval, if so desired.
|---
If a test is performed prior to its scheduled month, the test is considered as being "in-compliance."
But the system must be either retested in its originally scheduled month or the scheduled month must
be changed to the month in which the test was actually performed. If changed, the new scheduled
month will then be used as the basis for scheduling subsequent tests.
Procedure No.
Revision Date
Page _ of _

-|
177
ISA-TR84.00.03-2002
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Annex CC Possible SIF performance metrics

The following metrics may be good indicators of SIF performance. These metrics could be tracked and
reported on a quarterly or annual basis using a spreadsheet format.
SIF Availability calculated using one of the approved methods in ISA-TR84.00.03-2002 and SIF test
results. Only the number of SIF functional tests performed and number of SIF tests failed are
required. These numbers could be accumulative totals for the past three year period.
Number of SIF identified and classified by SIL by PHA.
Number of SIF evaluated against SIL requirements.
Number of SIF that meet SIL requirements.
Number of SIF successful trips and, where feasible, estimated $ savings.
Number of unsuccessful trips and actual $ cost.
Number of covert failures discovered during testing that could have resulted in high consequence
event if a SIF demand had occurred and, where feasible, estimated potential $ impact.
SIF Availability Calculations
The SIF performance capability should be defined by one of the three calculational techniques outlined in
ISA-TR84.00.02-2002. A technique should be selected and all SIF evaluated using the same technique.
Failure Mode Concepts
Failures in SIF can occur both overtly and covertly. Overt failures typically reveal themselves by tripping
all or part of the SIF. An example would be a normally open fail closed trip valve closing when its
solenoid valve fails resulting in a process upset. The operator would be quickly aware of the failure. If
the process is still running, the operator is aware of the failure and can perform mitigating actions to
simulate the SIF function and respond to demands while the SIF is inoperable. So, overall availability of
the safety function is not greatly affected by overt failures unless the failures are very frequent (MTBF < 1
year).
Covert failures do not reveal themselves and do not affect the operation of the process. They are
potentially hazardous because they may not allow the SIF to perform a safety function should a
hazardous demand occur. The operator is unaware that the SIF is inoperable and is not in state of
readiness to respond to a demand should one occur. Some covert failure modes can be turned into overt
failure modes by using system diagnostics to reveal the failure. However, system function testing is
generally required to reveal and correct covert failures. By their nature, covert failures have the greatest
impact on SIF availability because they can go long periods of time in an unrevealed inoperative state.
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
178
Availability calculations
Whichever method is chosen to perform the SIF availability calculations, a common set of failure rate data
should be used. This data should be agreed upon by a team of facility personnel who have much
experience with the equipment used in implementing SIF. All SIF calculations should use only the agreed
upon database.
What is considered a system failure?
In simplest terms, a system should be considered to have failed if it cannot perform the safety function for
which it has been designed. First, it presumes that you know safety function the system was designed to
perform. There should be a clear description in the unit Process Hazards Analysis of the scenario or
hazardous event the SIF was designed to prevent. Next, system component failures should not be
considered system failures if they are not in the chain of devices and logic that perform the safety
function. Failures of alarms, system resets and diagnostic components usually do not prevent the system
from providing the safety function when needed. Increasing system availability may require the use of
redundant components. A failure of a single transmitter in a two out of three voting triad should not be
considered a system failure since the other transmitters are still available to perform the safety function.
Transmitter or switch drift should be considered a source of system failures if the drift is beyond the
acceptable safety tolerance for that system. The tolerance will vary from system to system based on the
process hazard and how close the trip point is to the point of hazard. The tolerance on the hazardous side
of the trip point may be different than the tolerance on the nuisance side of the trip point. A general
guideline might be to set the acceptable tolerance no more than (+) or (-) 10% of the process trip point
and at least 5% on the safe side of the point of hazard.
-|
||| || | ||| || |
||||
|||| ||
Trip valves which fail to fully stroke when tripped should be considered system failures. Trip valves which
leak through when fully closed may or may not be considered failures depending on the process. Many
processes can tolerate some amount of leakage through the trip valve and still mitigate the hazardous
event. Some processes require tight shut off to prevent the hazardous event. A leak tolerance should be
designated for each trip valve. Valve leak testing may be required to ensure process leakage is within
tolerance for tight shut off valves.
||||
|
Plugged impulse lines on transmitters should be considered failures.
||
|---
Any logic device or switch which fails and prevents any SIF output from tripping when a SIF trip initiator
trips should be considered a system failure.
Procedure No.
Revision Date
Page _ of _

179
ISA-TR84.00.03-2002
||
||||

BODY OF ISA-TR84.00.03-2002.
|---
--
1. Install manual Bypass Valve. Prove stroke and inspect internals. Operate plant on Bypass Valve
while doing test and inspection.
How can functional tests of SIF valves be conducted in a long run-time plant?
||| || | ||| || |
||||
|||| ||
Annex DD Model technique for testing SIF valves on-line
2. Exercise valve for one stroke with plant operating. Use Valve Diagnostic tool to determine valve
health.
-
May or may not require Bypass Valve.
Portable Diagnostic tool able to detect actuator and mechanical linkage problems plus detect if
leakage is significant.
Tool available for purchase or as a service from valve vendors.
3. Install redundant valves for a SIL 1 application and extend TI to match plant turnaround schedule.
An SIF BV and a shared BPCS throttle valve with redundant SIF solenoid valves provides the maximum
SIF Test Intervals. This results from the effect of operator-provided diagnostics for the throttle valve. The
valve configuration is shown below.
Procedure No.
Revision Date
Page _ of _

180
ISA-TR84.00.03-2002
From SIF
Logic Solver
BPCS
Control
Loop
IA
Open
Close
To Process
Throttle
Valve
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
Block
Valve
Procedure No.
Revision Date
Page _ of _

181
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex EE Automated testing of SIF valves on-line

AutoTest (AT): Requirements
ESD Full Flow Bypass Valves for Normally Open Valves
ESD Block Valves for Normally Closed Valves
ESD Valve Limit Switches
SOV Limits Switches
Software
-
SIF Vendor Auto Test Code
DCS Interface Read / Write Points to Start, Abort & End AT.
DCS Interface Read Only Points to Report Results & Time Stamp
DCS Graphics for AT
Two Types of AutoTest

-
Logic Auto Test: Logic Test Only w/o Tripping Final Control Elements
Trip AutoTest: Tests the Final Control Element Action
||| || | ||| || |
||||
|||| ||
||||
||
|---
Hardware
--
Procedure No.
Revision Date
Page _ of _
182
ISA-TR84.00.03-2002
Logic AutoTest (AT): Steps

Furnace Low Pressure Transmitters (2oo2)
||
2. Operator Selects Logic Test Target if Visible and then OK.
|---
1. Operator Calls Logic Test Display for the Transmitter Pair on the Appropriate DCS Graphic.
||||
|
5. SIS Sets Alarm Flags in DCS (I.e. Pre-Trip, Trip, First-Out, Marks for Associated Effects on Cause &
Effect Matrix).
||| || | ||| || |
4. Process Pre-trip & Trip Setpoints are Replaced with Auto Test Trip Setpoints (a fixed percentage
(3%) higher than current process value)
|||| ||
||||
3. Target Turns Green.
--
6. SIS resets Logic Quick Test.

Notes:
a. No Final Control Element is Tripped.
b. Test only validates ESD Logic Functions.
Trip AutoTest (AT): Steps
SETUP STEPS: Furnace Fuel Gas ESD Valve
1. Operator Manually Opens ESD Bypass Valve.
2. SIF Checks: Final Control Element Status (Open / Close), SOV Status on ESD Valve, Bypass Valve
& SOVs.
3. Trip Test Permissive Target is Visible if Permissives Met.
4. Operator Initiates Auto Test for each SIF Final Control Element via DCS Graphic (Trip Test Target).
5. Pop Up Window: Press OK to Test - OK or Cancel
6. OK Selection Instructs SIF to Initiate Auto Test.
7. If Setup OK in Field - Trip Test Target turns Green - Test Executed.
AT EXECUTION STEPS
1. SOV A is de-energized.
2. SOV A is re-energized & SOV B is de-energized.
3. SOV A & SOV B are Simultaneously De-energized.
4. ESD Valve Trips
5. SIF Checks States of the ESD Valve & SOVs.
Procedure No.
Revision Date
Page _ of _

183
ISA-TR84.00.03-2002
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
Auto Test Example
Procedure No.
Revision Date
Page _ of _

|----
||| || | ||| || |
||||
|||| ||
||||
||

185
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex FF Possible audit protocol for safety instrumented functions

The following documentation shall be available for the Audit Team at time of audit:
Copies of SIF Manual for system being audited
Copies of all plant policies related to SIF
Copies of all SOPs related to SIF being audited
List of key personnel responsible for SIF being audited
Key plant contact during audit _______________________________
Copy of change logs and history logs of system being audited if not contained in SIF
manual
Audit Team Members: _______________________________ Location: ________________
Scope of Audit:
_______________________________
________________
_______________________________
________________
_______________________________
________________
_______________________________
________________
This audit of the SIF specified above covers the following:
SIF Documentation
SIF Procedures
Adherence to General Design Requirements for SIF
Validation of SIF Function both before system startup for the first time and
maintaining the systems capability
Procedure No.
Revision Date
Page _ of _

||| || | ||| || |
--
SIF to be audited _____________________________________________
||||
|||| ||
||||
||
|---
186
ISA-TR84.00.03-2002
I. Review documentation for SIF

Issue
Standard
Finding
Auditor
Reference
A. SIF Manual
1. All copies are the same
2. Contents of manual
NOTE All of the following documents do not have to be in the same manual (binder), but they must be readily available for
use if required.
a. TOC or Index
b. Drawings describing shutdown system (list
available)
c. Narrative description of shutdown system
d. Simple block schematic of shutdown
system (optional)
--
e. List of Pre-Alarm and S/D set points
|
||| || | ||| || |
f. Copies of change authorizations with

approvals
g. Copy of change procedure
||||
|||| ||
h. Copy of Functional Test Procedure

i. Indication of required manual test frequency
||||
j. Copies of any bypass procedures required
|
||
|---
k. Bypass procedure approvals

l. System audit records
m. Copies of system availability calculations, if
appropriate
Procedure No.
Revision Date
Page _ of _

187
ISA-TR84.00.03-2002
I. Review documentation for SIF (cont)

Issue
Standard
Finding
Auditor
Reference
B. Other Documentation
1. Copy of history register (log) of events
associated with system, i.e., trips, equipment
failures, etc.
2. Copy of system configuration, i.e.,
equipment arrangements with Rev. numbers,
Serial Numbers, etc.
3. Copy of Functional Requirements Specifications (may be several documents)
a. Description of each SIF system initiators
purpose and function in system
b. Description of logic requirements
c. Description of actions system must take and
how this is accomplished
d. Describe requirements related to operator
interface
e. Description of other requirements as
appropriate
C.Documentation Control Procedures
a. Identification of responsibility for
maintenance of documentation
b. Number of copies of documentation
controlled
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
Criteria to consider in audit: Appropriateness of documents, number of copies of documents

maintained, completeness of documentation, clarity of documentation, accessibility of documentation, and
identification of documents as being a part of a SIF.
Procedure No.
Revision Date
Page _ of _

188
ISA-TR84.00.03-2002
II. Review of Procedures Associated with SIF

Issue
Standard
Finding
Auditor
Reference
A. Personnel responsibility
1. Process familiarity
2. System familiarity
3. Design standards familiarity
4. Peer review of design
B. Design, Review and Approval

1. Design Criteria Followed
a. WDT, if appropriate
b. Independent Trip Switch
c. No Automatic Reset
d. No Blind Initiators
e. Failure alarms (opposite direction to trip)
-|
f. Power separation
||| || | ||| || |
2. Initial design review
||||
|||| ||
C. Management of Change Procedures

1. Set Point changes
||||
2. Logic changes
|
||
3. Vendor software changes
|---
4. Valve action changes

5. Hardware changes
6. Wiring changes
7. Testing frequency changes
8. Process changes
Procedure No.
Revision Date
Page _ of _

189
ISA-TR84.00.03-2002
II. Review of Procedures Associated with SIF (cont)

Issue
Standard
Finding
Auditor
Reference
D. By-pass Procedures
1. No master bypasses
2. Number of bypasses minimized
3. Permissives controlled
4. Bypassing only during stable operation
5. Acceptable bypass methods
6. Evidence of training on bypassing
E. Operating SOPs Available

1. Readily Accessible
2. Understood by operators
F. Maintenance SOPs Available

1. Readily Accessible
2. Understood by technicians
3. Appropriate for components being
maintained
4. Cautions about working on and around
Safety System equipment
G. Availability of system spare parts
H. Records of any internal audits performed
Criteria to consider in audit: Appropriateness of procedures, appropriate levels of experience involved

in design, evidence of adherence to procedures, frequency of audits, understanding of procedures by
operations, maintenance and engineering personnel, qualifications of those approving changes, and
evidence of enforcement of procedures by management.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

190
ISA-TR84.00.03-2002
III. Use of Approved Equipment for SIF

-|
||| || | ||| || |
Issue
Standard
Finding
Auditor
Reference
||||
A. Field Components
|||| ||
1. Sensors
||||
2. Valves
|
||
|---
B. Logic Solvers
C. Software
1. Configuration software
2. Vendor software Version
Criteria to consider in audit: Conformance to approved vendor list for components, use of approved
vendor revision levels for internal software, use of approved configuration software, and appropriate
approvals for any deviations.
IV. Separation between BPCS and SIF

Issue
Standard
Finding
Auditor
Reference
A. Sensors either separate or redundant
B. Logic separation
C. Software separation
D. I/O conversion separation
E. Final control element separation
F. Logic Solver programming station
separation
G. Operator Interface separation
Procedure No.
Revision Date
Page _ of _

191
ISA-TR84.00.03-2002
V. Validation of SIF Functions

Issue
Standard
Finding
Auditor
Reference
A. Field I/O Verification
1. Proper installation
2. Wiring connections
3. Valves
a. PM schedule in place
b. Record of maintenance
||
|---
4. Visual inspection of field devices
||||
B. Functional Test Procedure
|||| ||
1. Written Procedure
||||
2. Specific to this system
||| || | ||| || |
3. Manual frequency specified

4. Forms for recording data
a. All components included in test
--
b. As found condition
c. As left condition
5. Test techniques identified and followed
6. Copy of last functional test performed
available
7. Tests of approved changes included
8. Identification of who is authorized to
perform test
9. Test equipment appropriate
Procedure No.
Revision Date
Page _ of _

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

193
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex GG Example of checklist for auditing an SIF

(a) Is there a register, schedule, or listing of all Safety Functions included in the SIS? Is it up to date?
(b) Do written test procedures exist for SIF?
(c) Are the tests regularly reviewed to ensure that they meet the current standards and operational
requirements?
(d) Do the tests check that the whole system operates correctly?
(e) Is the purpose of each system recorded and is this reflected in the system Integrity Level?
(f) Are settings and the rational for them recorded?
(g) Has consideration been given to the behavior of systems outside their normal operating boundaries?
(h) Are changes to equipment, settings, test procedures, and test intervals made via an established
management of change procedure?
(i) Is the test schedule up to date? Do you inspect it and take action on reports of overdue tests?
(j) Is there a formal SOP, which takes full technical consideration of the consequences, for the bypass or
defeat of safety systems?
(k) Are defects in safety systems repaired quickly?
(l) Are all safety systems tested before being returned to service after repair or modification?
(m) Have process and maintenance personnel received the training necessary to operate, test, and repair
the SIF so as to maintain their design intent and performance?
(n) Do operators and supervisors understand the correct operation of the systems is a part of their
responsibilities?
(o) Have any operational difficulties or incompatibilities between the plant operation and safety system
performance been reported and acted upon?
(p) Are audits carried out which establish if the questions on this list are answered?
(q) Is there documentary evidence to support the answers?
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

195
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex HH Partial instrument trip test (PITT)

INTRODUCTION
In process plants, valves employed for shut off applications remain open while the process is in safe and
controlled state. These valves close only upon a plant trip arising from an out of control process or
during a normal maintenance outage. The performance of such valves is tested only during the
shutdown condition of the process. Economic considerations have driven plant operators to reduce the
frequency of maintenance outages extending continuous operation of plants for many years. State of
the art SIF have extensive features to detect incipient failures within them and redundancy to offer a
high degree of availability. However, the shutoff valve, which is one of the critical elements in the SIF
loop, typically does not have any means of ensuring availability when a demand arises. The availability
of the shutoff valve can be enhanced by periodic partial stroking of the valves on-line without causing
process upset. Almost all SIF valves have pneumatic cylinder actuators driving the valve to a closed
state quickly on the loss of the pneumatic supply. A combination of 3-way solenoid valve and quick
exhaust valve controls the pneumatic drive. On a trip signal the solenoid valve de-energizes cutting off
air supply to the cylinders. The quick exhaust valve vents the cylinder driving to close the valve.
Partial Stroking Of Shut-Off Valves
-|
||| || | ||| || |
||||
Partial Instrument Trip Testing applied to shutoff valve is a scheme of partial stroking of the valve to
ensure its functionality without causing process upset or shutdown in the process plant. The scheme as
indicated in the figure was designed, developed, and tested for on-line implementation of Partial
Instrument Trip Test on shutoff valves.
|||| ||
||||
Under normal operating condition the main trip solenoid valve remains energized passing air supply
through quick exhaust valve to the cylinder of the actuator keeping the valve open.
|
||
|---
The PITT solenoid valve, which remains de-energized normally, is energized to initiate a partial stroke
test. Energisation of PITT solenoid valve causes partial bleeding of the air supply to the shutoff valve
actuator causing the valve to move from its open state. The PITT will be terminated either on travel of
the valve about 10% sensed by 10% limit switch or after a predetermined time.
In case of a trip during the test the main solenoid valve will cutoff the air supply and the cylinder will be
vented through both the quick exhaust valve as well as the PITT valve.
The travel time during the 10% limit during PITT can be used for monitoring the stroke performance of
shutoff valve.
The 10% travel limit actuation during PITT is an indication of the success of the test.
The logic for conducting the PITT is implemented in the SIF system and all information related to PITT is
transmitted to BPCS for report generation and archiving purpose.
Procedure No.
Revision Date
Page _ of _

ISA-TR84.00.03-2002
196
Salient Features of the Scheme

1. PITT is independent.
2. PITT action will not hamper the trip action.
3. Action of PITT solenoid valve improves travel time of shut off valve on a trip.
4. Any failures in PITT solenoid valve will not effect trip action.
5. In the event of failure of main trip solenoid valve, the PITT solenoid valve will act as a backup to
close the valve.
6. Adjustable travel time during PITT.
7. Automated hardcopy report generation as a proof of successful valve test.
8. Facilitates on-line maintenance of PITT solenoid valve.
9. Increase in the frequency of valve test leading to early detection of incipient failures.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

197
ISA-TR84.00.03-2002
GLOSSARY
PITT
Partial Instrument Trip Test
ESD System
Emergency Shutdown system, which shuts down the plant to a safe

state in the event of any out of control processes. The system is also
used for PITT of shutoff valves periodically.
(Emergency Shutdown System)

Shutdown Valve
Shutdown valve is a safety device which remains open and will close
(fail-safe position) in case of trip/shutdown. PITT is performed on this
valve.
Main Solenoid Valve
Main Solenoid valve is the safety device on the SHUTDOWN VALVE

which is normally energized. De-energizes to vent air through
exhaust port to close Shutdown valve on trip/ shutdown.
PITT Solenoid Valve
PITT Solenoid valve is the test solenoid valve to perform PITT. It is

independent of main ESD solenoid valve.
The partial closing is achieved by energizing the PITT solenoid valve

for partially bleeding the air supply to achieve predetermined valve
closing of approximately 10%.
PITT solenoid valve energizes on trip signal complementing the

exhaust valve to improve the speed of shutoff valve closure.
-|
||| || | ||| || |
Since the PITT solenoid valve is programmed to energize on a trip it

acts as a backup to the main solenoid valve.
It is a pneumatic actuated valve. It allows the SHUTDOWN valve to
close very quickly (<1 sec) by bleeding the actuator pressure
through its exhaust port.
Isolation Valve
It isolates the PITT Solenoid for any maintenance.
||||
Quick Exhaust Valve
|||| ||
||||
|
It is also useful to control test travel time/stroke by throttling

(adjusting the bleed rate).
||
|---
100% open limit switch
Valve open status
Close limit Switch
Valve close status
10% close limit Switch
10% Valve close status when PITT is on.
PC with Printer
To monitor/ record the program and timings.
Procedure No.
Revision Date
Page _ of _

198
ISA-TR84.00.03-2002
P IT T R O U T IN E L O G IC F L O W
START
E N E R G IS E P IT T
SOV,
S T A R T P IT T
T IM E R
--
K E E P P IT T
SOV
E N E R G IS E D
|
||| || | ||| || |
||||
R E A D T IM E R
COUNT
& D E -E N E R G IS E
P IT T S O V
YES
S /D V A L V E
CLOSED 10%
?
|||| ||
NO
||||
|
D E -E N E R G IS E
P IT T S O V
YES
NO
||
|---
P IT T T IM E R
T IM E D O U T ?
S E T P IT T
STATUS AS
PASS
S E T P IT T
STATUS AS
F A IL
G ENERATE
P IT T R E P O R T
& A R C H IV E
DATA
END
N O T E .: P A R T O F T H E E S D A P P L IC A T IO N S O F T W A R E . T O B E E X E C U T E D O N IN IT IA T IO N O F P IT T R E Q U E S T .
D O C U M E N T N 0 . 4 5 7 1 -0 0 -1 6 -5 1 -4 0 9 1 B .
Procedure No.
Revision Date
Page _ of _

199
ISA-TR84.00.03-2002
R O U T IN E T O EN H A N C E A C T U A T O R B L E E D O N A T R IP
L O G IC F L O W
START
E N E R G IS E P IT T
S O V & S T AR T
V A L VE S T R O KE
T IM E R
K E E P P IT T S O V
E N E R G IS E D &
K E E P ST R O K E
T IM E R R U N N IN G
NO
VALVE
CLOSED 100%
?
YE S
S T O P S T R O K E T IM E R
& D E -E N E R G IS E P IT T
SOV
G E N E R AT E S /D V A L V E
FU LL ST R OKE
R E P O R T & A R C H IVE
DATA
END
N O T E . P A R T O F T H E E S D A P P L IC A T IO N P R O G R AM . IN IT IA T E D IN T H E E V E N T O F A T R IP S IG N A L
D O C U M E N T N O . 4 5 7 1 -0 0 -1 6 -5 1 -4 0 9 1 C
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

200
||
|---
ISA-TR84.00.03-2002
||||
|||| ||
||||
3DUWLDO,QVWUXPHQW7ULS7HVW3,776FKHPDWLF
6\VWHP
3,776ROHQRLGYDOYH
--
3&ZLWK3ULQWHU
,VRODWLRQYDOYH
6SULQJORDGHGSLVWRQDFWXDWRU
6
,QVWUXPHQW$LU6XSSO\
0DLQ6ROHQRLGYDOYH
=6/
FORVHOLPLWVZLWFK
4XLFN([KDXVW
=6/
=6+
OLPLWVZLWFK
RSHQOLPLWVZLWFK
6KXWGRZQ9DOYH
Procedure No.
Revision Date
Page _ of _
||| || | ||| || |
(6'

201
ISA-TR84.00.03-2002
Annex JJ Vendor packages to perform partial stroke testing of SIF valves

There are a number of valve manufacturers who now provide a package system for performing
diagnostics and partial stroke testing of both sliding stem and 90 turn valves that may be used in SIF
applications. The listing, which follows, does not claim to be the only manufacturers available to do this.
It is just the listing of companies who submitted information related to testing to the committee developing
this document. A brief description of what each system provides is included with the vendor information
for clarification.
Neles Automation
Neles offers a package called the ValvGuard System, which provides automated testing of a valve by
performing a partial stroke of the valve, and measuring valve position as related to air pressure in the
actuator. A fingerprint of the valve can be obtained and compared with original condition of the valve for
analysis of any potential problems. The vendor claims third party certification of their product and
estimates that > 85% of the time the valve will perform the function required of it by the SIF if appropriate
maintenance is performed.
Contact the North American subsidiary at 42 Bowditch Drive, Shrewsbury, MA 01545-8004, telephone
number 1-508-852-3567.
Tyco Valves & Controls
Tyco offers a package called K-MOVE (Manually Operated Verification Equipment), which allows
testing valves without shutting them down. The system works only with rotary action valves at the present
time. The package moves the valve about 20 to minimize the impact on flow through the valve. It is
possible to have the SIF initiate the test and information can be fed back that the test has been
performed.
Tyco can be contacted at 9700 West Gulf Bank Road, Houston, TX 77040, and telephone number 713466-1176.
DRALLIM Controls
Drallim offers a non Contact Real Time Testing and Monitoring system for emergency isolation valves and
associated control devices called VALVEWATCH. They claim that due to the speed of the test action that
in some cases full closure of the valve may be possible.
Drallim can be contacted at Drallim Industries Inc., Grogans Mill Rd, Suite 125, The Woodlands, TX
77380, telephone number 261-296-1665.
Siemens
Siemens offers a smart valve positioner that provides diagnostic capabilities with the information readily
available using the HART protocol.
Siemens can be contacted at Siemens Energy & Automation, Inc., Process Industries Division, Mail Stop
510, 1201 Sumneytown Pike, Spring House, PA 19477-0900, telephone number 215-646-7400.
Emerson Controls
Emerson Controls, formerly Fisher-Rosemount, offers a valve diagnostic package called FIELDVUE
DVC6000 for Safety Instrumented Systems.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
202
For information contact Emerson Process Management - Fisher Controls Division, 205 South Center
Street, Marshalltown, IA 50158, telephone number 641-754-3011.
Industrial Control Specialists
Industrial Control Specialists has developed a technique called Shurshut for testing a control valve used
in a SIF application while the process is in operation.
Industrial Control Specialists may be contacted at 1320 Gauthier Road in Lake Charles, LA and
telephone number 337-474-3163.
--
||| || | ||| || |
||||
|||| ||
||||
||
|---
Note that additional vendors will be added when information is received.
Procedure No.
Revision Date
Page _ of _

203
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex KK Possible technique for evaluating benefit of partial stroke testing of

SIS valves in PFDavg calculations
The following presents the procedure that one recognized consultant in the safety arena uses to evaluate
the benefit of partial stroke testing of SIS valves in determining the PFDavg for the SIF. Users are
cautioned to fully understand this procedure in light of the requirements for the SIF being installed.
Partial-stroke testing can be used to supplement full-stroke testing to reduce the block valve PFDavg. The
amount of the reduction is dependent on the valve and its application environment. The partial-stroke test
involves moving the valve a minimum of 10-20 percent, which tests a portion of the valve failure modes.
The remainder of the failure modes is tested using a full-stroke test. The main purpose of the partialstroke test is to reduce the required full-stroke testing frequency.
Partial-stroke testing may not eliminate the need for a full flow bypass. If the valve is partial-stroke tested
and determined to be non-functional, maintenance will need a bypass or the process will have to be
shutdown for valve repair.
How does partial-stroke testing affect the PFDavg? A complete functional test of the valve can be viewed
as consisting of two parts: the partial-stroke (PS) and the full-stroke (FS). For the calculation, the
D
D
dangerous failure rate, , must be divided into what can be tested at the partial-stroke ( PS) and what
D
can only be tested with a full-stroke ( FS). The resulting equation for the PFD is as follows:
PFDavg =
D
PS
* TIPS/2 +
D
FS
* TIFS/2
(1)
The division of into parts requires an evaluation of the failure modes of the valve. Table KK.1 provides
a listing of typical dangerous failure modes for block valves and the corresponding effect of these failure
modes. The test strategy indicates whether the failure mode can be detected by partial-stroke testing or
only by full-stroke testing. The equation (1) can then be shown as follows:
D
PFDavg = PD * * TIPS/2 + (1-PD)* * TIFS/2

D
(2)
Where the percentage detected (PD) represents the percentage of the total failures detected by the
partial stroke test.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

204
ISA-TR84.00.03-2002
Table KK.1 Dangerous fai lure modes and effects with associated test strategy
Failure Modes
Effects
Test Strategy
Actuator sizing is insufficient to

actuate valve in emergency
conditions
Valve fails to close (or open)
Typically not tested
Valve packing is seized
Test valve Partial or full-stroke
Valve packing is tight
Valve is slow to move to closed or

open position
Not tested unless speed of closure is

monitored.
Air line to actuator crimped or

plugged vent port
Valve is slow to move to closed or

open position
Not tested unless speed of closure is

monitored. Physical inspection
Air line to actuator blocked
Valve fails to move to closed or

open position
Valve stem sticks
Valve seat is scarred
Valve fails to seal off
Full-stroke test with leak test
Valve seat contains debris
Full-stroke test
Valve seat plugged due to

deposition or polymerization
Full-stroke test
The failure modes listed in Table KK.1 can be compared to the failure mode distributions presented in the
Offshore Reliability Data Handbook (OREDA) for various valve types and sizes. Based on the OREDA
data, the percentage of the failures that can be detected by a partial-stroke test is approximately 70%.
The remaining 30% of the failures can only be detected using a full-stroke test.
Users are cautioned that this breakdown is based on average valve performance in offshore installations
and may not represent the breakdown for the Users application. This evaluation should be done for each
valve type, based on the application environment and the shutoff requirements. If the service is erosive,
corrosive, or plugging, the failure rate and failure mode breakdown will be different from that shown in this
Annex. If the valve is specified as tight-shutoff, the contribution of minor seat deformation or scarring will
be more significant than shown in this Annex. For these reasons, it is recommended that partial-stroke
testing not used as a substitute for full-stroke testing for a single block valve application when:
a) the valve has been shown to fail in the service due to process deposition or plugging,
b) the valve is specified as tight-shutoff for safety reasons, and
c) valve leakage can generate a hazardous incident.
Some analysts choose to neglect the PFDavg associated with the failures detected at the partial stroke test
by using the diagnostic coverage (DC) model.
PFDavg = (1-DC) * TIFS/2
D
(3)
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

205
ISA-TR84.00.03-2002
-|
||| || | ||| || |
However, the diagnostic coverage (DC) model is usually reserved for on-line fault detection where the
"testing interval" is within or very near the process time constant. For example, comparison of analog
transmitter signals is performed each scan and can be alarmed on deviation. This means that the
transmitter "test" is performed at least every 150 to 300 ms with a programmable logic controller operating
with a reasonable scan rate. When the transmitter PFDavg is calculated, the appropriate diagnostic
coverage is selected and used with the failure rate and off-line testing frequency for the calculation. In
the case of the transmitters, it is common to neglect the diagnosed portion in the PFDavg calculation,
assuming that the operator will be notified immediately that the SIS is degraded (due to failed transmitter),
has operating procedures to address safe operation during degraded SIS performance, and has the
means and authority to shutdown the operation if necessary.
||||
|||| ||
In contrast to the transmitter, partial stroke tests are typically only performed monthly, quarterly, or
annually. This means that there is a substantial time window in which the valve could be in a dangerous,
undetected state. Neglecting the partial stroke portion of the valve failure rate can yield substantial error
in the calculation. The following is a comparison of the two calculations, assuming 1-year partial stroke
testing, 3-year full stroke test, and MTBF of 35 years.
||||
|
||
Using DC model:
|---
(1-0.70)*(1/35yr)*3yr/2 = 0.0129
Using partial test model:
(1-0.70)*(1/35yr)*3yr/2 + (0.70)*(1/35yr)*1yr/2 = 0.0229
The DC model under predicts the PFDavg of the valve by a factor of 2 at the annual partial stroke test. As
the partial stroke test frequency is increased, the error is, of course, reduced. However, even at monthly
partial stroke test, the contribution of the PFDavg associated with the partial stroke test is still within the SIL
3 PFDavg range. For the DC model assumption to be correct, the testing must be frequent enough that the
-5
PFDavg for partial stroke test is at least an order of magnitude lower than SIL 3 (less than 10 ).
Procedure No.
Revision Date
Page _ of _

|--||
|
||||
|||| ||
--
||| || | ||| || |
||||

207
ISA-TR84.00.03-2002
Annex LL Example method for partial stroke testing of SIS valves
Smart ZV Solution
(Point to Point Mode)
Logic
Solver
24V
Solenoid
S
4-20 mA
||
Supply Pressure
||||
--
ESD
Valve
||| || | ||| || |
Digital Valve
Controller
|||| ||
||||
Travel
And Actuator
Procedure No.
Revision Date
Page _ of _
|---
Exhaust

208
ISA-TR84.00.03-2002
Smart ZV Solution
(Multi-drop Mode)
Logic Solver
Solenoid
24V DC
Line
Conditioner
Exhaust
Supply
Travel
Digital
Valve Controller
ESD
Valve/Actuator
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

209
ISA-TR84.00.03-2002
Smart ZV Approach
How it works
Configuration Using the HART handheld communicator or laptop running vendor specific software
(Valvelink with Fisher Rosemount DVC 6000), the test parameters are downloaded onto the
positioner.
Local Test Push Button when pressed in the field, the positioner performs the predefined limited
travel partial stroke test of the ZV. The results of last test are saved in memory on the positioner.
ESD Override A separate ESD output to the SOV overrides the positioner and drives the valve to
the fail safe position.
Best Application
In pneumatic applications single acting or double acting ZV actuators (normally energized or normally deenergized). Ideal where on-line testing is not possible between scheduled T&Is.
Features
Versatile, modular, design can handle any ESD signal to the SOV (normally energized or
normally de-energized).
Continuously monitored with the 4-20 mA option, ZVs are monitored, even after a trip.
Proven performance installed base in Saudi Aramco has demonstrated reliability.

The smart valve positioner (Fisher Rosemount) is used to perform "limited travel" testing while the valve is
in service on a quarterly basis and full stroke the valve annually.
The smart valve positioner collects valve signature data that can be used to compare with previous test
results to identify changes in valve performance. In addition, the valve signatures collected during
functional testing, provide an audit trail of past functional test results.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

--
||| || | ||| || |
||||
|||| ||
||||
||
|---

211
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex MM Examples of techniques to perform on-line testing of solenoid

valves
There are a variety of methods that can be implemented for on-line testing of solenoids. Each method
requires the installation of test facilities and the development of test procedures. Any functional test of a
solenoid must determine that the solenoid can vent the air (or other fluids) from the valve actuator.
Consequently, the test must determine that the solenoid valve can change states and that the air can be
vented through the solenoid vent port to the atmosphere.
The following discussion provides some examples of on-line solenoid testing methods, including brief
descriptions of the equipment and procedures. Users are cautioned to fully understand how the field
design and test procedures will work in concert to prevent nuisance trips or hazardous situations during
testing.
Solenoid in Bypass
A manual test station can be built that uses hand operated valves to bypass the solenoid valve and place
air directly on the valve actuator, holding the valve in position. Since this results in the bypass of the final
control element, the board operator and field operator must be have a procedure for implementing a safe
shutdown in the event of a process demand during the test.
Limit switches are often incorporated on the hand operated valves to allow bypass alarming to the
operator HMI. Once the instrument air is in bypass, the solenoid is de-energized and pressure indication
is used to determine that the solenoid has properly vented. If 2oo2 solenoid voting is used, no instrument
air bypass is required. For 2oo2 voting, each solenoid is de-energized one-at-a-time and pressure is
monitored to determine that each solenoid has successfully vented.
Solenoid is Pulsed
In this method, the solenoid is tested by pulsing the power to the solenoid. The operator activates a
pushbutton or switch to initiate the test to de-energize the solenoid for as long as the field operator holds
the switch. The field operator monitors the valve position and releases the button when the operator
confirms valve movement. When the valve moves, it can be inferred that the solenoid successfully
vented. Also, if the partial movement of the valve is sufficiently large (10-20%), this test can provide
partial stroke testing of the final control element. The main risk is that the operator may hold the switch
too long or the switch may fail to return to the normal state, allowing the valve to close all the way.
However, most operators quickly learn how long they can press the switch without causing a nuisance
trip.
This method of testing was mandated by the MMS (Government Agency that oversees safety for Oil/Gas
Operations in US Offshore waters). MMS requires that an operator initiate and monitor the test. This
method has worked very well in a number of offshore installations.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

ISA-TR84.00.03-2002
212
Shuttle Valve
Another method uses dual solenoids mounted in parallel with a shuttle valve in the middle. During the
test, pressure indication (e.g. switches or gauges) is used to monitor the discharge pressure of the
solenoids. The test is performed by de-energizing each solenoid separately and verifying that the
solenoid has vented. The reliability of this technique depends on successful operation of the shuttle valve
during the test of each solenoid valve. Improper operation may result in the air being vented from the
actuator.
Integrated Test Package
A fully integrated solenoid package is available from ASCO (2oo2D-SOV, patent pending) that provides
on-line diagnostics of solenoid coil failure and facilitates on-line solenoid testing. During normal
operation, the air signal passes through the package from the signal source to the valve actuator. When
a trip occurs, the solenoids vent the air from the valve actuator and allow the valve to move to its fail-safe
position. The ASCO package can be used in two operational modes:
A normal 2oo2 configuration where both solenoids must de-energize for shutdown. The pressure
switches are used to individually alarm if either solenoid goes to the vent state when not commanded,
reducing the potential for spurious trips. The pressure switches also facilitate automatic on-line
testing, where each solenoid is de-energized individually with pressure switch confirmation of venting.
A 1oo1 configuration where one solenoid is on-line for the shutdown action. The PLC is programmed
so that if the primary solenoid goes to the vent state without being commanded (as detected by the
pressure switch), the secondary solenoid is energized, preventing the spurious trip. Solenoid testing
is performed by cycling the solenoids and verifying vent state. This configuration provides the safety
availability of a 1oo1 configuration with the spurious trip rate of a 2oo2 configuration.
-|
Either configuration can be used for partial stroke testing by pulsing the power to the solenoids for just
long enough to achieve the partial stroke. To verify the movement of the valve, a position transmitter or
limit switch is used. The position indication is also used to prevent over stroking of the block valve, i.e., if
the valve moves too far during the timed stroke, the solenoids are re-energized. Due to solenoid valve
redundancy, this method for pulsing the solenoids has a reduced potential for spurious trips during the
partial stroke test (i.e., both solenoids must fail to return to position to incur a spurious trip.)
||| || | ||| || |
||||
|||| ||
||||
|
||
|---
Procedure No.
Revision Date
Page _ of _

213
ISA-TR84.00.03-2002
3. Drive the output current to 21.2 mA (a different value may be selected by the user with assurance that
upscale overdrive has taken place) and verify readout device indicates bad measurement.
downscale overdrive has taken place) and verify readout device indicates bad measurement.
5. Disconnect the simulator from the loop being tested.
Perform the following steps for verification of transmitter input processing and trip check:
1. Connect the calibrated pressure source to the input side of the transmitter downstream of the process
root valve.
2. Set the calibrated pressure source to allow simulation of the input pressure over the calibrated range
of the transmitter.
3. Increase the simulated pressure until a High pressure pre-alarm and trip occurs as indicated by the
loop documentation (if applicable). Verify and document that pre-alarm and trip occur at correct set
point.
4. Decrease the simulated pressure until the High pressure trip and pre-alarm clears as indicated by
loop documentation (if applicable). Verify and document that trip and pre-alarm clear at correct set
point. Also verify that the SIF does not automatically reset after the trip condition has cleared.
5. Decrease the simulated pressure until a Low pressure pre-alarm and trip occurs as indicated by loop
documentation (if applicable). Verify and document that pre-alarm and trip occurs at correct set point.
6. Increase the simulated pressure until the Low pressure trip and pre-alarm clears as indicated by loop
documentation (if applicable). Verify and document that pre-alarm and trip clear at correct set point.
Also verify that the SIF does not automatically reset after the trip condition has cleared.
7. Document as found and as left alarm and trip settings on appropriate place in test procedure. Table
NN.1 is an example of a way to document this data.
Procedure No.
Revision Date
Page _ of _

|||| ||
||||
||| || | ||| || |
2. Connect the simulator to the instrument loop being tested.
1. The root valve is closed and the system is safely vented prior to connecting the calibrated pressure
source.
--
Using a 4-20 mA signal simulator verify the transmitter fault logic by performing the following steps:
||||
||
Annex NN Model procedure for testing mA pressure transmitters
|---

BODY OF ISA-TR84.00.03-2002.
214
ISA-TR84.00.03-2002
8. Verify that process root valve is open.
Table NN.1 Sample docum entation for high alarm and trip settings
Pressure
Input
Input Range
P1234
(0-xxx psi)
(0-yyy H2O)
High Pre-Alarm
Setpoint
High Trip
Setpoint
Pre-Alarm
Setpoint
Pre-Alarm
Setpoint
P1234
P1234
(As Left)
(xxx psi)
(xxx psi)
(As
Found)
(yyy H2O)
(yyy H2O)
(zzz mA)
(zzz mA)
Trip Setpoint
Trip Setpoint
(As Found)
(As Left)
PT1234
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

215
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex PP Model procedure for testing mA temperature transmitters

Verify the thermocouple (T/C) fault protection by disconnecting the thermocouple and verifying that the
Open T/C tag alarms in control center. The user should be aware that this might be alarmed high, low or
last depending on the Safety Requirements Specifications (SRS) and the application.
Using a 4-20 mA signal simulator verify the transmitter fault logic by performing the following steps:
1. Connect the simulator to the instrument loop being tested.
upscale overdrive has taken place) and verify readout device indicates bad measurement.
downscale overdrive has taken place) and verify readout device indicates bad measurement.
4. Disconnect the simulator from the loop being tested.
Perform the following steps for verification of transmitter input processing and trip check:
1. Connect the calibrated temperature source to input side of transmitter.
2. Set the calibrated temperature source to allow simulation of the input temperature over the calibrated
range of the transmitter.
3. Increase the simulated temperature until a High temperature pre-alarm and trip occurs as indicated
by the loop documentation (if applicable). Verify and document that pre-alarm and trip occur at
correct set point.
4. Decrease the simulated temperature until the High temperature trip and pre-alarm clears as indicated
by loop documentation (if applicable). Verify and document that trip and pre-alarm clear at correct set
point. Also verify that the SIF does not reset automatically.
5. Decrease the simulated temperature until a Low temperature pre-alarm and trip occurs as indicated
by loop documentation (if applicable). Verify and document that pre-alarm and trip occurs at correct
set point.
6. Increase the simulated temperature until the Low temperature trip and pre-alarm clears as indicated
by loop documentation (if applicable). Verify and document that pre-alarm and trip clear at correct set
point. Also verify that the SIF does not reset automatically.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

216
ISA-TR84.00.03-2002
a) Thermocouples
Verify the thermocouple type by physical examination of tag or color code on thermocouple.
Using a calibrated temperature simulator and a portable ice bath, measure the thermocouple output or
temperature with the thermocouple inserted into the ice bath. Verify correct reading for type of
thermocouple used.
Repeat above for ambient temperature measurement and verify that thermocouple output indicated
correct ambient temperature.
If the process temperature measurement must meet a SIL 3 application, use of a certified thermocouple
should be considered.
b) Resistance Temperature Detectors
Verify the resistance temperature detector (RTD) type by physical examination of tag or color code on
sensor.
Using a calibrated temperature simulator and a portable ice bath, measure the RTD output or
temperature with the RTD inserted into the ice bath. Verify correct reading for type of RTD used.
Repeat above for ambient temperature measurement and verify that RTD output indicated correct
ambient temperature.
If the process temperature measurement must meet a SIL 3 application, use of a 4-wire certified RTD
element should be considered.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

217
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex QQ Model procedure for testing mV temperature transmitters

Thermocouple Input Validation and Trip Check
Perform the following steps using Table 5 for verification of thermocouple input processing validation and
trip check.
1. Verify the T/C fault by disconnecting the thermocouple and verifying that the Open T/C tag alarms in
control center.
2. Connect the mV simulator to the thermocouple wiring at the sensor end and simulate the T/C input
over the operating range indicated in the table.
3. Increase the simulated T/C temperature until a high temperature trip occurs as indicated by readout
device in control center.
4. Decrease the simulated T/C temperature until the high temperature trip clears as indicated by readout
device in control center. Also verify that SIF does not automatically reset.
5. Remove the mV signal generator and re-connect the thermocouple.
6. Verify that the readout device in control center High Temp Trip Alarm is Normal.
Repeat the above procedure for low temperature pre-alarm and trip settings as appropriate.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

219
ISA-TR84.00.03-2002

BODY OF ISA-TR84.00.03-2002.
Annex RR Model procedure for testing pressure switches

Perform the following steps for verification of switch input processing validation and trip check:
1. Connect the calibrated pressure source to the input of the pressure switch downstream of process
root valve.
2. Set the calibrated pressure source to allow simulation of the input pressure over the calibrated range
of the pressure switch.
3. Increase the simulated pressure until a High pressure pre-alarm and trip occurs as indicated by the
loop documentation (if applicable). Verify and document that pre-alarm and trip occur at correct set
point.
4. Decrease the simulated pressure until the High pressure trip and pre-alarm clears as indicated by
loop documentation (if applicable). Verify and document that trip and pre-alarm clear at correct set
point. Also verify that the SIF does not automatically reset.
5. Decrease the simulated pressure until a Low pressure pre-alarm and trip occurs as indicated by loop
documentation (if applicable). Verify and document that pre-alarm and trip occurs at correct set point.
6. Increase the simulated pressure until the Low pressure trip and pre-alarm clears as indicated by loop
documentation (if applicable). Verify and document that pre-alarm and trip clear at correct set point.
Also verify that the SIF does not automatically reset.
7. Disconnect pressure source and reconnect switch to process tap and open process root valve.
Procedure No.
Revision Date
Page _ of _
--
||| || | ||| || |
||||
|||| ||
||||
||
|---

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

-|
||| || | ||| || |
||||
|||| ||
||||
|
||
|---

Developing and promulgating sound consensus standards, recommended practices, and technical
reports is one of ISAs primary goals. To achieve this goal the Standards and Practices Department
relies on the technical expertise and efforts of volunteer committee members, chairmen and reviewers.
ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United
States Technical Advisory Groups (USTAGs) and provides secretariat support for International
Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees
that develop process measurement and control standards. To obtain additional information on the
Societys standards program, please write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, NC 27709
ISBN: 1-55617-801-8
--
||| || | ||| || |
||||
|||| ||
||||
||
|---


ISA TR84 Part 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISA TR84 Part 2

Uploaded by

Copyright:

Available Formats

TECHNICAL REPORT

Guidance for Testing of Process

Approved 17 June 2002

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

Emerson Process Management

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

This page intentionally left blank.

Definition of terms and acronyms ........................................................................................................ 13

When should off-line testing be performed................................................................................... 16

Deferral of scheduled testing of SIF ............................................................................................. 20

How to perform off-line testing of SIF........................................................................................... 21

Component testing ....................................................................................................................... 23

Logic solver test procedures ........................................................................................................ 28

Testing of final control elements................................................................................................... 29

Testing solenoid valves ................................................................................................................ 30

Testing of HMI .............................................................................................................................. 30

Final SIF test procedures ............................................................................................................. 31

When should on-line tests be performed...................................................................................... 32

Performing on-line testing ............................................................................................................ 34

Inspection (observation techniques that enhance SIF availability) .............................................. 38

Testing documentation ................................................................................................................. 41

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

Annex N Model procedure for testing temperature switches ................................................................. 85

Annex O Example visual inspection form for SIF................................................................................... 87

Annex J Example of a jumper control list ............................................................................................... 77

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

Definition of terms and acronyms

5.1.1 approved substitution:

solid state non-programmable electronic devices (electronic); and

electro-mechanical devices (electrical);

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

5.1.5 electrical/electronic/programmable (E/E/PE):

5.1.4 communications (external):

electronic devices based on computer technology (programmable electronic).

5.1.6 field sensors:

5.1.11 off-line testing:

5.1.12 on-line testing:

COPYRIGHT 2002; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Shell Services International B.V./5924979112,

5.1.15 replacement in kind:

5.1.17 safety instrumented control function:

5.1.18 safety instrumented protection function:

American National Standards Institute/Instrumentation, Systems, and Automation Society

Basic Process Control System